Commerce & Technology Partner Mark O'Shea considers the risks posed by permitting the use of personal devices in the workplace.

You could be forgiven for thinking that 'BYOD' is an extension of the Australian 'BYO' ('Bring Your Own' booze) terminology for unlicensed restaurants.

But to technology users the acronym 'BYOD' has an altogether different meaning, standing for 'Bring Your Own Device'. It refers to the practice (authorised or unauthorised) of employees bringing their own mobile devices, be they laptops, iPads or other tablet devices, mobile telephones, iPhones or Androids, or even USB memory sticks, into the workplace.

So what's the issue?

There can be clear commercial advantages to enabling your employees to work flexibly and remotely, and the plethora of available devices on the market facilitates such working practices.

However, there are several potential problems with permitting free and easy access and use.

Mobile devices can, and often do, have enormous data storage capacity. Given the ease and speed of downloading electronic data, the risk must be the ability for an employee, particularly a disgruntled or departing one, to copy, move, use, disclose and/or sell your commercially sensitive business information – customer lists, supplier details, management accounts and financial data, etc.

Although confidentiality obligations, express or implied, are likely to be in place, once disclosed we all know how difficult it can be to put the genie back in the bottle! It may be possible to seek an injunction but there is no sure-fire guarantee that one will be granted and there will be associated costs involved.

Also, BYOD's pose the risk of introducing harmful code, viruses, Trojans, etc to your systems, depending on what security systems you have in place. Some devices are also more susceptible to hacking and other undesirable attention.

What's the solution?

As is often the case, there is no 'silver bullet', single shot remedy and best advice is to adopt a range of measures to minimise the risk to your business. These include:

  1. Deciding whether or not to allow your employees to use their own devices in the workplace, or whether only those devices you supply are permitted.
  2. Stipulating which devices you will support and, by default, those you will not. This involves assessing your own security requirements and ensuring that the security measures on any own devices has not been compromised. 
  3. Employing mobile device management software/applications to enable you to remotely manage devices and to provide secure applications, such as email and web browsers. The software/application needs to give you the ability to locate lost or stolen devices, to lock the device within a timeframe, and to erase data. 
  4. Specifying any 'apps' that must not be used or appear on any devices. 
  5. As it may be difficult in practice for many businesses to police the use of devices, carry out a review of your system security policies and update them as necessary. 
  6. Ensuring that you have clear, written usage policies in place aimed at those employees who will be using own devices and, ideally, have those employees sign a statement to the effect that they have read and will adhere to those policies. 
  7. Provide employee training to ensure that they use their devices and applications properly, and that they are alert to potential security issues. 
  8. Insist on the use of a Personal Identification Number and password protection, and ensure as far as possible that data is encrypted.

There will be merit in engaging with your employees on the use of BYODs to understand their needs and requirements which can then be weighed against the needs and requirements of your business.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.