SMEs may be exposing themselves to cyber-attacks by allowing staff to use personal devices for work, experts warn.

With 40% of Brits now working from home at least some of the time, many SMEs are relying on Bring Your Own Device (BYOD) policies to enable flexible working, often without the security controls that would typically come with company-owned hardware[1].

Around 83% of organisations in the UK are reported to have adopted BYOD policies, allowing employees to use their own smartphones, tablets or laptops for work purposes[2]. In fact, 39% of employees are said to have purchased their own device for work, helping companies save an average of £150,265 over five years[2].

While these policies can appeal to SMEs by boosting flexibility, productivity, and cost savings, they also bring security challenges. To help businesses keep their data secure, Max Beckett, Uswitch Business Broadband expert, shares his top tips:

1. “Set clear, simple BYOD policies: The benefits of BYOD are clear, but the cyber risks that come with it are often overlooked. Without a considered, risk-aware approach, organisations can end up weakening their own cyber defences from the inside. Even a simple, clearly documented BYOD policy can significantly reduce this risk, without the need for costly systems or specialist support. This should define which devices and operating systems are permitted, require basic security controls such as screen locks and antivirus software, and set clear rules around how company data is accessed and stored on personal devices.

   Understanding the Importance of BYOD Policies

“It should also explain the actions employees must take if a device is lost or stolen, outline the organisation’s right to remove company data if a device is compromised, and establish clear consequences for policy breaches, supported by employee sign-off to confirm understanding.

2. “Plan for employee exits: Organisations should also consider what happens to company data when an employee using their own device leaves the business. Without a defined exit process, access to sensitive information can easily be missed. Promptly removing access to email, accounts, and synced systems, and remotely wiping company data where appropriate, helps reduce the risk of data breaches. Building these steps into HR offboarding creates clear expectations and keeps the process straightforward and effective.

3. “Secure your broadband and Wi-Fi setup: A secure home Wi-Fi connection is essential for safe BYOD use. Employees should avoid using identifiable information, such as their address, in their network name and set a strong password using a mix of letters, numbers, and symbols. Networks should also be configured with WPA2 or WPA3 encryption to protect business communications and company data from unauthorised access. Employees should avoid accessing company systems on public Wi-Fi where possible. If it is necessary, a secure VPN should be used.

4. “Ensure employees keep their devices up to date: Regularly updating software on devices used for work, including personal devices under BYOD, is one of the simplest and most effective ways to protect against cyber threats. Hackers often target outdated systems, so keeping operating systems, applications, and security tools up to date helps protect both company and personal information.

5. “Implement strong access controls: Access to company systems and data should be limited to essential users only, with multi-factor authentication enabled wherever possible. This added layer of security helps protect sensitive information from unauthorised access.

6. “Monitor for unusual activity: Regularly reviewing network traffic and system access logs helps identify suspicious behaviour early. Monitoring devices connected under BYOD policies can prevent breaches and reduce the risk of data loss.

7. “Separate work and personal data: Encourage the use of separate apps, profiles, or secure accounts for work data so company information does not mix with personal files or cloud backups.

8. “Train staff on best practices: Employees should understand the importance of keeping login details private, recognising phishing attempts, and following BYOD policies. Regular training and clear guidance help reduce the risk of unauthorised access and keep company data secure”.