Risks and controls of staff bringing their own devices to work

3 January 2017

Remember the days when laptops, smartphones and tablets didn’t exist? Remember when people had to be more creative about taking a “break” at work instead of just perusing Instagram on their phones? Well, those days are over.

These days, you’d be hard-pressed to find an employee who doesn’t own at least one of the above-mentioned three devices for their own personal use. (And if you do find such an employee, please introduce us to this wizard.) When an employee owns any of these types of devices and also uses it/them to access work-related data, herein lies the risk to your business.

But there is no need to panic and start demanding that your employees cease to own personal devices. All you need to do is inform yourself — know what the risks are and have a handle on how to rationally control them. Fortunately, we can help with that.

What are the risks?

Below is a list of the most pertinent concerns.

Theft or loss of personal devices

This one is pretty straightforward: If your employees’ personal devices are lost or stolen, what kind of work-related information on those devices might also be lost or stolen and what kind of impact will be felt if that information gets into the wrong hands?

Software security

Is the software on the personal devices of your employees up-to-date? If not, it could leave their devices — and, therefore, any work-related information on those devices — open to hackers. What kind of anti-virus software do your employees’ personal devices have, if any? Are they using cloud storage? If so, this may present some concerns if any sensitive work-related data is being backed up to the cloud.


We’re about to get awfully technical, but it’s worth examining with the help of a legal adviser whether your employees using their personal devices for work purposes might contravene any laws — for example, the Privacy Act or the Freedom of Information Act. Of course, whether or not such laws are relevant will be dependent on the nature of your business, as well as the nature of the business employees are conducting on their personal devices.

The “personal” of personal devices

Basically, how does what your employees use their devices for on a personal level affect what they use their devices for on a professional level? For example, what kinds of apps are they using and are they trustworthy and legitimate or do they expose the device to malware and hacking concerns? Do they illegally stream content on their devices and does this expose those devices to viruses? Are they logged on to your business network when they do anything on their devices that is not work-related and how might this reflect on your business? Is your business implicated if any of these activities are not exactly legal?

How can I go about controlling these risks?

There is a range of options available to help control these risks. Your best bet is to have a risk management plan in place specifically for the use of personal devices to conduct work-related activity. Such a plan will be best-served by including a combination of the following steps that require action by both you and your employees.

Your employees

  • Passwords — while employees ensuring any personal devices they use for work-related purposes are password-protected won’t solve all your problems, it will help.
  • Update software — employees should be installing new operating system versions on their devices as soon as possible.
  • Keep personal use limited — of course, if they’re on their own time, they