Know Risk is a community education program designed by the Australian and New Zealand Institute of Insurance and Finance (ANZIIF) to improve our understanding of insurance and how it relates to managing the many risks we all face in life.
Risks and controls of staff bringing their own devices to work
Protecting your business from within
Remember the days when laptops, smartphones and tablets didn’t exist? Remember when people had to be more creative about taking a “break” at work instead of just perusing Instagram on their phones? Well, those days are over.
These days, you’d be hard-pressed to find an employee who doesn’t own at least one of the above-mentioned three devices for their own personal use. (And if you do find such an employee, please introduce us to this wizard.) When an employee owns any of these types of devices and also uses it/them to access work-related data, herein lies the risk to your business.
But there is no need to panic and start demanding that your employees cease to own personal devices. All you need to do is inform yourself — know what the risks are and have a handle on how to rationally control them. Fortunately, we can help with that.
What are the risks?
Below is a list of the most pertinent concerns.
Theft or loss of personal devices
This one is pretty straightforward: If your employees’ personal devices are lost or stolen, what kind of work-related information on those devices might also be lost or stolen and what kind of impact will be felt if that information gets into the wrong hands?
Is the software on the personal devices of your employees up-to-date? If not, it could leave their devices — and, therefore, any work-related information on those devices — open to hackers. What kind of anti-virus software do your employees’ personal devices have, if any? Are they using cloud storage? If so, this may present some concerns if any sensitive work-related data is being backed up to the cloud.
We’re about to get awfully technical, but it’s worth examining with the help of a legal adviser whether your employees using their personal devices for work purposes might contravene any laws — for example, the Privacy Act or the Freedom of Information Act. Of course, whether or not such laws are relevant will be dependent on the nature of your business, as well as the nature of the business employees are conducting on their personal devices.
The “personal” of personal devices
Basically, how does what your employees use their devices for on a personal level affect what they use their devices for on a professional level? For example, what kinds of apps are they using and are they trustworthy and legitimate or do they expose the device to malware and hacking concerns? Do they illegally stream content on their devices and does this expose those devices to viruses? Are they logged on to your business network when they do anything on their devices that is not work-related and how might this reflect on your business? Is your business implicated if any of these activities are not exactly legal?
How can I go about controlling these risks?
There is a range of options available to help control these risks. Your best bet is to have a risk management plan in place specifically for the use of personal devices to conduct work-related activity. Such a plan will be best-served by including a combination of the following steps that require action by both you and your employees.
- Passwords — while employees ensuring any personal devices they use for work-related purposes are password-protected won’t solve all your problems, it will help.
- Update software — employees should be installing new operating system versions on their devices as soon as possible.
- Keep personal use limited — of course, if they’re on their own time, they can use their devices for personal means to their hearts’ content. But if they’re on your business network, then they should be doing business-related tasks.
- Nothing illegal — illegal downloading or streaming isn’t ideal in any situation, but certainly not when they’re on your business network, regardless of whether the reasons for it are business-related or personal.
Engage the services of IT professionals to ensure security is as sound as possible. They may encourage you to consider the following measures (which they will obviously implement as part of their service):
- Implement multi-step authentication if employees are accessing the business network remotely.
- Implement back-up procedures that ensure any work data on a personal device is regularly backed up to a server.
- Create a data centre where sensitive information is kept and prevent such information from being saved to a personal device.
- Assess the legal implications and ensure you are not at risk of breaking any laws.
- Consider installing a means to audit, as well as limit, personal devices being used for personal reasons on your business network.
- Install systems that limit access to business information from personal devices.
- Prevent access to websites that are considered high-risk for malware and viruses.
While these are by no means exhaustive lists, they are a start.
Some final thoughts
Of course, a risk management plan is great, but it will be ultimately useless if you fail to communicate and implement it properly. Ensure that this plan is communicated effectively to all employees and make sure it is clear so as not to cause confusion about what employees should and shouldn’t be doing when it comes to using their personal devices for work-related activity.
Also, be sure to adjust the policy as technology changes and as the need arises. When it comes to technology, things progress quickly and never stay the same for long, so as technology changes, so should your risk management plan.
And, finally, if you have any further concerns or are unsure about how this particular issue affects your business, be sure to engage a trusted business adviser who can assess the nature of your company and help you come up with a risk management plan perfectly tailored to your business’s specific needs.