In terms of data ownership, allowing employees to put company data on a personal device, means a degree of loss of control over that data, compared with retaining it safely within the company … be it a network, in the cloud or on a company-owned portable device.
An employee’s device can be difficult to monitor effectively; it can be difficult to know what data is stored on the device if lost or stolen; and when the employee leaves it could be impossible to retrieve the data. It can be difficult to encrypt personal data on an employee device … potentially contravening the Data Protection Act. In addition, if a personal device which is used for work purposes, there is a grey area around who provides and pays for technical support.
The risks
- Theft of company data by an employee.
- Loss or theft of company data if the device is lost or stolen.
- Malicious or inadvertent introduction of malware on to company systems.
- Loss of compliance with your industry regulations or standards.
- Spiralling costs for technical support for ‘unknown’ devices.
- Data limits being exceeded through employees downloading large files (such as movies) via the company network.
- Employee timewasting through visiting websites / using applications on personal devices.
- Incompatibility of software products or versions.
Advice on personal devices at work
- Decide whether it is necessary to allow the use of personal devices in the workplace: does the business benefit outweigh the costs and risks?
- If so, decide to what extent should the use of personal devices should be permitted (types of device, for what purpose and by whom).
- Carry out a risk assessment and ensure that adequate controls are in place to reduce risks to the business.
- Consider the implications of the Data Protection Act.
- Ensure that personal devices usage is included in your acceptable use policy – for example in employee contracts and staff handbooks.
- Consider implementing one of the many available mobile device management solutions on the market today.
