For many IT devices, there is no clear separation between professional and private life. Work e-mails are quickly checked on the private smartphone. The big presentation moves from the office to home on the USB stick and back again revised. In the home office due to the pandemic, the private laptop replaces the company’s own desktop computer.

In short: many private devices find their way into working life. Recognizing this is the first step in minimizing the security risks they pose.

The key term: BYOD – Bring Your Own Device

Bring Your Own Device translates to “Bring Your Own Device” – to work. BYOD therefore refers to the use of private devices in professional life. Usually, this refers to smartphones, tablets and laptops.

However, many other private devices are now Internet-enabled or are quickly connected to the company’s IT in everyday work. For example, the smartwatch may access the internal Wi-Fi. Fitness trackers and e-readers can be charged via USB on the company computer if required. The more complex these devices are, the more important it becomes for companies to consider their usage.

What BYOD means for IT security and data protection

The mixing of personal and professional use can mean additional cyber risks for the company in question. Just one example: The privately used devices may not be updated as quickly as the company IT. As a result, known security vulnerabilities in private devices remain longer and can be exploited by malware. This malware can then spread throughout the company by e-mail or the next time you log in to the company network. The consequences are unpredictable. It may be ransomware that encrypts all data. Or spyware that specifically spies on valuable trade secrets.

The issue of data protection – or more precisely, the protection of personal data – must also be taken into account in BYOD. For example, a private smartphone, on which work emails are also stored, can be lost, stolen or briefly given to another person. In all these cases, unauthorized third parties potentially have access to the work e-mails and the personal data contained therein.

What should companies do about BYOD?

In principle, every company should establish clear guidelines for BYOD. In other words, how it deals with the issue itself and how its employees should deal with it. The clearer the requirements of the directive, the better all parties involved can adhere to them.

Sometypical aspects of a BYOD policy:

• Access control to the devices through screen locks, passwords, PIN and Co.
• Controlled access to corporate Wi-Fi, e.g. through VPN
• Handling of company data
• Dealing with backups
• Use of virus scanners
• Update practice to keep devices up to date
• Setting up separate work and private areas on the devices
• Possible remote wipe of data on the devices
• Encryption of e-mails and data, for example
• Procedure when employees leave the company
• Procedure when employees join the company

Create these guidelines in consultation with your IT department, your external IT service provider or a specialized IT security company such as Perseus.

What should employees do about BYOD?

There’s no question about it: If your company already has a BYOD policy, follow it. But in many companies, the devices used professionally and privately are not yet an issue.

Don’t let that stop you from acting prudently.

Follow the basic rules for increasing cybersecurity:

• Always turn on the screen lock when you’re not working on the device
• Protect any device with password, PIN, fingerprint, facial recognition, etc.
• Install updates promptly
• Pay attention to password security
• Create backups
• When it comes to new software and new apps, pay meticulous attention to their reputable origin
• Use virus scanners to check USB sticks, for example, before use
• Be on the lookout for phishing attacks in your professional and private life and be critical of emails, attachments and links