The phrase “bring your own device”, or BYOD, is famous in corporate circles. The phrase means employees can use personal portable devices such as mobile phones for office work.

This seems like a good idea on the surface, but there are a few things to keep in mind before taking this route.

Using personal devices to access corporate information systems can be a cybersecurity risk if proper data security measures aren't taken.

Many personal devices are unprotected or have minimal protection against external attacks; they lack important security settings and features. Malware and other cyber threats could enter the corporate network through personal mobile phones.

There are other subtle security challenges. When an employee connects their phone to the company network and then creates a hotspot on their phone to connect other gadgets, the IT team are unlikely to see the tethered devices.

Such devices could expose the company network to a whole new and unsafe cyber world. Unknown to them, staff expose their personal information to their organisations when they connect their devices to the corporate network.

It becomes difficult to distinguish between personal and corporate information as they are both on the same phone. Similarly, sensitive or classified company information might find its way onto personal devices, thereby compromising privacy and confidentiality.

In the event of a lost or stolen device with company data, the organisation may want to wipe it remotely, which would erase all data, including personal information.

Using personal devices for work raises more questions, such as, would your office foot the cost of repair or replacement of your device if it breaks or is stolen?

Security standards

If an organisation does not want staff to use their devices for work, they can buy devices and configure them with the appropriate security standards before giving them out to staff. Organisations can use this policy to select devices that are allowed in the network, ideally those with the minimum-security requirements mandated by the organisation.

Such a device now becomes exclusively used for work, ensuring a clear distinction between work and personal business.

By using this option, company resources are protected from personal activity risks, and personal information is protected from unauthorised or unethical access by the organisation. Obviously, this adds another hassle, as the employee must carry two phones, a personal one and another for the office.

Overall, the question of using personal devices for work is not an easy one to solve. Organisations should have a clear policy on how staff can use their devices for work, especially those that connect to their network.

Company legal officers should examine mobile devices' legal implications, as using personal devices for work increases an organisation's liability, especially through intended and inadvertent information leakage.