Of more than 500 SMEs polled in the UK, 61% said they had experienced a cyber security incident since introducing a BYOD policy, according to a study by SME card payment services firm Paymentsense.
Increasingly popular BYOD policies, the study report said, see employees using personal devices such as laptops, tablets and smartphones for work, as well as for their general day-to-day activities.
Some businesses believe it brings productivity gains and cost savings, and the BYOD and global enterprise mobility market is estimated to reach $73.3bn by 2021.
The study revealed that BYOD schemes are prevalent across small businesses of all sizes, but larger SMEs are more likely to employ such a policy.
For microbusinesses of up to 10 staff, the rate is 40%, increasing to 51% for businesses of between 51 and 100 people, and to 69% in businesses of 101 to 250 people.
The study found that as BYOD popularity increases, so do cyber security incidents. Just one in seven (14%) microbusinesses (up to 10 staff) reported a cyber security incident since implementing BYOD, but this figure rises significantly to 70% for business of 11 to 50 people, and to 94% for SMEs with 101 to 250 employees.
The most common cyber security incident suffered by respondents over the past 12 months was malware, which affected two-thirds (65%) of SMEs, followed by viruses (42%), distributed denial of service (26%), data theft (24%) and phishing (23%).
“Although our study shows the popularity of BYOD among small businesses, it’s alarming to see so many reporting incidents since implementing these schemes,” said Chafic Badr, head of digital at Paymentsense.
“As with all cyber security issues, the biggest factor is the human one. Employees need to be aware of their responsibilities and the risks associated with a BYOD system. This is particularly important when you consider personal data responsibilities under the EU’s General Data Protection Regulation [GDPR],” he said.
Business owners should create concise guidelines to help staff use best security practices in their daily activities, in and out of the office, the report said, noting that when mobile device users are away from work, susceptibility to threats such as phishing tends to increase.
Regular engagement and communication with staff at all levels is important, the report said, and having an incident response plan clarifies responsibilities and ensures timely action is taken to contain and control the situation if mistakes are made.
According to guidance for SMEs published by the UK Information Commissioner’s Office (ICO), the physical security of equipment is important to consider as devices containing personal data could be stolen in a break-in or lost while away from the office.
Read more about SME security
- SMEs failing to address cyber threats, despite the risks.
- The UK government has announced initiatives aimed at boosting SME cyber security, promoting the cyber security profession and supporting cyber security innovation projects.
- Small and medium-sized enterprises typically face the same threats as bigger organisations, but lack the same level of expertise and other security resources.
- The London Digital Security Centre has been set up by the Mayor’s Office for Policing and Crime as part of the mayor’s business crime strategy.
SMEs need to ensure that the same level of security applied to on-premise devices is applied to personal data on devices being used away from the office.
Many data breaches arise from the theft or loss of a device, but SMEs should also consider the security surrounding any data sent by email or post, according to the guide.
Because allowing untrusted devices to connect to SME networks or using work devices on untrusted networks outside the office can also put personal data at risk, the guide advises SMEs to ensure that personal data is either not on the device in the first place or that it has been appropriately secured so that it cannot be accessed in the event of loss or theft by using good access control systems and encryption.
Some mobile devices support a remote disable or wipe facility which allows users to send a signal to a lost or stolen device to locate it and, if necessary, delete all data, the guide says.
“If you permit employees or other users to connect their own devices to your network you will be increasing the range of security risks and these should also be addressed,” the guide states.