Businesses Warned Over Growing Use of Personal Devices for Corporate Data Access

UK businesses are being warned about increasing information-security risks linked to the widespread use of personal devices for accessing corporate systems, as regulators and cyber-security bodies report a rise in incidents tied to poorly controlled “bring your own device” (BYOD) practices. The issue is affecting organisations across professional services, construction, manufacturing, logistics and consultancy sectors, where hybrid working has become embedded.

Cyber-security advisers say many organisations relaxed controls during the rapid shift to remote working and have since failed to formalise device-management arrangements. As a result, sensitive business data is frequently being accessed, stored or transmitted via personal laptops, tablets and mobile phones that fall outside corporate security controls.

A spokesperson for the National Cyber Security Centre said it continues to observe incidents where compromised personal devices were used as entry points into business systems. “Personal devices often lack the same patching, monitoring and access restrictions as managed corporate equipment,” the spokesperson said. “Where these devices are used for work, organisations must ensure risks are properly assessed and controlled.”

Security analysts report that common weaknesses include the absence of device encryption, inconsistent use of multi-factor authentication, and personal devices being shared with family members. In several investigations, attackers were able to gain access to business email accounts and cloud storage after exploiting malware infections or weak passwords on privately owned devices.

Industry bodies say the problem is particularly acute among small and medium-sized enterprises, where formal IT governance may be limited. “Many businesses assume that if staff are trusted, the technology will look after itself,” said James Holloway, a cyber-risk consultant working with UK SMEs. “Unfortunately, trust does not replace technical controls, and attackers actively target these gaps.”

Auditors have also noted an increase in nonconformities related to access control and asset management during information-security assessments. In some cases, organisations were unable to demonstrate which devices had access to sensitive information, how data was protected on those devices, or how access would be removed if a device was lost or an employee left the business.

From a commercial perspective, insurers and clients are beginning to take a firmer stance. Several professional-services firms report being asked to provide evidence of device-security controls as part of supplier assurance and tender processes. Cyber-insurance providers have also tightened policy terms, with some excluding coverage for incidents linked to unmanaged personal devices.

Some organisations are responding by introducing clearer BYOD policies, mobile-device-management software and stricter access rules for cloud systems. Others are restricting access to sensitive data unless devices meet defined security standards. Security professionals say these measures are increasingly being viewed as baseline expectations rather than advanced controls.

“The boundary between personal and business technology has blurred,” Holloway added. “What matters now is whether organisations have visibility and control over how their information is accessed. Without that, they are exposed - not just to cyber risk, but to regulatory and reputational consequences.”

As digital working practices continue to evolve, regulators and security specialists expect scrutiny of device management and access controls to increase. For businesses operating under information-security management systems such as ISO 27001, the ability to demonstrate effective control over user devices is becoming a key indicator of maturity in managing information risk.

A message from our sponsors, The Ideas Distillery: 

If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).