The boom of remote working in recent years has given equal rise to the use of personal devices for work purposes. Whether that’s checking work emails on a personal phone, joining video calls from a home laptop or using company logins on a personal tablet, this is now how a large portion of people work each day.
In a number of ways, this level of device flexibility is a genuine benefit, and not one many businesses are in a rush to reverse. However, this new flexibility also introduces new data protection risks. When employees use personal devices to access business systems, the organisation often has very little visibility or control over the environment from which that access takes place.
Recent regulatory enforcement in the UK – including action against LastPass – has highlighted the issue clearly. Safeguards like Multi-Factor Authentication (MFA) and Virtual Private Networks (VPNs), widely adopted and often well-configured, are not always sufficient where personal devices are involved.
Organisations that have allowed Bring Your Own Device (BYOD) arrangements to evolve organically over time are now faced with the challenge of asking whether their current policies and controls are still fit for purpose.
Why MFA and VPNs are not the whole answer
It’s tempting to assume that controls such as MFA and VPNs are “enough” to protect company data, but this is not quite the case.
MFA and VPNs protect the channel through which someone accesses a system, but they don’t protect the device itself. On personal devices, an organisation typically won’t be able to verify that the most up-to-date security patches have been applied, that the operating system is current, or that no malware is present on the device.
Gaps like these create attack vectors that access controls alone cannot close. Credential theft via keylogger malware installed on a personal device, session token hijacking that bypasses MFA entirely, and exploitation of vulnerabilities in third-party applications are all realistic routes into corporate systems – routes that operate beneath the level where most security controls sit.
In each case, an attacker can gain access while appearing, to every technical control in place, to be a legitimate user. These compromises happen at the device level – where the organisation has little to no visibility or control.
What regulators expect
Both the UK GDPR and international frameworks such as ISO 27001 require organisations to align and implement security measures appropriate to individual levels of access and the risks involved.
In the context of BYOD, that means the controls applied should reflect who is accessing what data, from which type of device, and what the consequences of a compromise would be.
Not all employees carry the same level of risk. Someone with privileged access to financial systems, HR records, or technical infrastructure presents a materially higher impact, if compromised, than someone who occasionally checks a shared calendar. Applying identical controls to both – or no particular controls to either – is unlikely to satisfy regulators that the approach taken is proportionate.
Article 32 of the UK GDPR goes further, requiring organisations to regularly test and evaluate the effectiveness of their security measures. A BYOD policy written three years ago, when systems and working practices looked different, may no longer meet that standard, even if nothing has gone obviously wrong.
Where to focus
BYOD has grown through convenience and habit rather than conscious design. Getting on top of it does not require a full overhaul, but it does require deliberate reassessment. The following areas tend to be where the gaps are.
Identify who needs personal device access, and for what
Where employees have access to sensitive data, personal records or privileged system credentials, it’s worth questioning whether personal device access is appropriate in the first place. More often than not, restricting those users to managed or compliant devices is a legitimate and often proportionate response.
Minimum security standards: Rather than relying on employees to manage their own device security, organisations can set clear requirements – current operating systems, approved applications, screen lock enforcement – as conditions of access. Mobile Device Management (MDM) tools or compliance-checking access policies can make these enforceable rather than advisory.
Separation of business and personal credentials. Shared or linked credentials, where a personal account and a work account are connected, significantly increase the exposure from any single compromise. Clear separation limits the damage if something goes wrong.
Functional limits where risk is higher. Access to sensitive systems from personal devices can be restricted to read-only, capped at specific data categories, or redirected to managed alternatives. These are proportionate responses to elevated risk.
Testing whether controls hold up. Having controls in place and knowing they work are different things. Controls need to be tested against current attack techniques – what held eighteen months ago may not withstand the methods in use today.
Incident response that accounts for personal devices. When a personal device is involved in a security incident, the response is more constrained – the organisation cannot simply wipe or lock the device remotely. Clear escalation pathways and defined responsibilities, agreed in advance, change the outcome.
Staff awareness grounded in how people work. Employees who understand the reasoning behind security requirements are more likely to follow them. Awareness programmes that reflect the actual working environment, rather than abstract principles, tend to land better.
Proportionality, not prohibition
You don’t need to ban the use of personal devices to protect your business – in most organisations it would be an unfeasible option, and in truth, regulators don’t expect that level of response. What they do expect is evidence that an organisation has assessed the risks, put proportionate controls in place, and is keeping those controls under review as circumstances evolve.
If you’ve yet to review your BYOD arrangements, or haven’t done so in a while, the current regulatory climate makes that review difficult to defer. A considered, risk-based approach that distinguishes meaningfully between higher and lower-risk access scenarios can preserve the flexibility employees rely on while meeting the obligations the organisation carries.
