The boundaries between personal and work devices are blurring – in a typical week almost three-quarters (73 per cent) of office workers now use one or more personal devices, such as smartphones, to do their work; nearly half (45pc) use two or more. The online research from BAE Systems Detica by YouGov shows, however, that this is not leading to increased security vigilance from staff, thereby increasing the strain on UK businesses’ security operations and their ability to protect their data.
Three in ten office employees (30pc) do think they should be made directly responsible for data loss or theft, with 44pc saying both they and the company should be equally responsible. Only 13pc thought it was solely the company’s responsibility.
But despite this, and the increasing use of personal devices for work purposes, a significant proportion of employees are not taking steps to protect the security of their devices. One third (34pc) of office workers with a personal device have failed to update their personal device security in the last six months, while a further third of those (11pc in total) have never installed or updated security for their own devices. Unprotected devices holding sensitive information offer an open goal to cyber criminals looking to extract company secrets.
The implications of this will be felt most keenly by businesses, especially says the arm of defence firm BAE after recent Information Commissioner’s Office (ICO) guidance which clarifies that companies are accountable for the loss of data by their employees, irrespective of whether it was on a personal or work device. So, while the boundaries between personal and work devices may be blurring, the responsibility for a security breaches is crystal clear, and lies squarely with the employer.
In addition, it appears that employees underestimate the security threat posed, with half failing to recognise that unsecure personal devices may potentially make their employer vulnerable to a cyber attack, despite nearly one in five (18%) experiencing a compromise to their personal device in the past six months.
What is more encouraging is that employees show a willingness to improve security, providing that their employers take the lead. More than half (53pc) would not object to their employer strengthening security for their personal device, compared to 26pc who would object. Employees are therefore willing to engage in the security challenge, but employers need to be proactive, Detica suggested.
Yet the research indicates that companies are not taking advantage of this employee attitude; over a quarter of office workers (27pc) claim their company has not outlined any sort of policy on using their personal device for work purposes.
Vincent Geake, director of secure mobility at BAE Systems Detica, said: “BYOD policies improve flexible working and allow businesses to be more agile, however if firms fail to protect their employees’ devices, they risk incurring increasing disclosure and financial penalties, not to mention the likelihood of falling victim to cyber attack.
“Our research shows that there is a willingness of staff to engage in the security debate and to share the responsibility for security, but they are really looking for employers to take the lead. Businesses must capitalise on this and educate employees about the risks of using their own devices and non up- to-date security. This is even more pertinent given that responsibility for a security breach involving customer data lies with the company itself and not its staff.
“The message is clear for employers, engage with your employees and understand the way they want to use personal devices and how this will help your business. Conduct a prioritised assessment of the risk this represents and develop a clear policy explaining how your employees should use these devices and setting out the security measures you need to protect your information. Properly thought through security should provide benefits to your employees without unnecessarily impacting on their enjoyment of their personal devices.”
