How a secure BYOD policy can protect your business from the threat of ransomware

With the rise in flexible working, more businesses are allowing employees to use their own devices for work. How can small businesses make sure that the devices used by their staff are secure from ransomware attacks?

Many employees like the idea of using their own phone, tablet, or laptop for work as well as leisure – at least to begin with. What they love about “bring your own device” (BYOD) policies is the sense of freedom it gives them.

They no longer have to drag two phones and their chargers round with them – and they can just check all their emails from work and home on their own phone. Even better, their employers may well pick up part of the bill.

As useful as it can be, there is a great risk for organisations that do not adequately manage the use of BYOD devices. The recent WannaCry malware attack held businesses and organisations to ransom that were using computers without the latest security patches installed: a patch that was available months before the malware struck.

With the increase in staff working remotely, BYOD is increasingly becoming commonplace. As this method of working continues to grow in popularity, so does the need for SMBs to make sure that the devices used by their staff are secure.

But how?

Because the device is personal, the safety of company data is at the mercy of the user and can be difficult to monitor.

There is no guarantee that the device will be updated with the latest security updates, or even be locked with a secure password. Without sufficient protection, not only is company data on the device at risk, it is possible that malware could use an unsecure device as a means to access the company’s network.

To manage this from a technical perspective, many businesses – large and small – have turned to Mobile Device Management (MDM) software. This software can check that personal devices used for work have the latest software updates and antivirus installed. MDM software can also check if commercial data has been wiped, if the phone is stolen or compromised.

However, it is not as simple as implementing the software. Notifications telling an employee to download an app to a personal device being used for work, will signify at least two things: one, that their employer has woken up to the security risks of a personal device being used for work; and two, that their employer has access to their personal device, meaning visibility of the data captured, transmitted, and stored on it.

Surveys regularly show that the major anxieties around privacy are commonly focused around who can see the pictures of their kids, what happens to their holiday snaps if the phone is stolen and the data is wiped by the employer, whether their movements will be tracked while they are at work – or outside it – and the impact on the performance and battery life of their phone.

The problem for employers is that many of these fears are justified. New technology means that even a connection with the company via something like Microsoft Exchange ActiveSync means that IT staff can remove personal data from an employee’s phone. And MDM requires much more access to personal information on the phone.

Communication is key

For BYOD to be both an effective security measure and not make staff feel as though they are being spied on, it is vital to raise awareness through training. The issues around BYOD shouldn’t be framed as privacy verses surveillance, but as finding a balance that serves everyone’s needs.

Employers can take the lead by developing a robust yet reasonable BYOD policy before allowing employees to use their personal devices for work. Few would dispute that.

  • Policies must mitigate risks to the business and employees.

no business or individual wants to be the victim of a ransomware attack like WannaCry. Such an attack could cripple the employer and the employee because both commercial and personal data and devices may be held to ransom or impounded.

  • Policies also need to be fair, easy to understand and transparent.

Explaining the policy to employees and encouraging them to ask questions, even awkward ones, is vital to creating a sense of fairness and trust.

  • Practical training is equally important.

Malware evolves rapidly and much quicker than software development. As such, employees may need training – even on their own devices – on how to install the latest software updates and what to look out for in terms of the latest malware.

  • Policies, to be effective, also need to be updated and employees made aware of the changes.

Education leads to understanding

Ultimately if employees understand what they have signed up for, they are more likely to behave in ways which help protect the business and their employment. They may also be less likely to believe their privacy has been unnecessarily invaded or deeply concerned that their personal data will be scrutinized, exposed, deleted, or confiscated.

Ultimately, if employers and employees both understand and follow a secure BYOD strategy, the risk of ransomware attacks can be greatly reduced.

Praseeda Nair

Kellen Rempel

Praseeda was Editor for from 2016 to 2018.

Related Topics

Tech Jobs & Careers