Bring Your Own Device (BYOD) risk management guide

Bring Your Own Device (BYOD) refers to employees using personal phones, laptops, or tablets to access business systems and data. 

But how much control do you really have over those environments? 

In practice, employees are checking emails on personal devices and logging into SaaS platforms from home laptops as part of everyday working life. 

Whilst Bring Your Own Device (BYOD) arrangements support flexibility and productivity, they also mean organisations have far less control over the environments used to access corporate systems. This can introduce risks that traditional access controlsA series of measures (either technical or physical) which allow personal data to be accessed on a need-to-know basis. do not address. 

Recent regulatory enforcement against LastPass UK has made clear that controls such as Multi-Factor Authentication (MFA) and Virtual Private Networks (VPNs) are not always enough. For organisations relying on BYOD, now is the time to reassess whether current policies and controls remain effective. 

In this blog, we explore the risks of unmanaged personal devices, what regulators expect, and the practical steps organisations can take to strengthen their approach.  

Key takeaway: BYOD increases flexibility but introduces device-level security risks that MFA and VPNs do not address. A risk-based approach is essential to control access, especially for sensitive data and privileged users. 

• Hidden risks of unmanaged personal devices 
• Regulator expectations: A risk-based approach to BYOD 
• Practical steps for effective BYOD management 
• Frequently asked questions 

What are the hidden risks of unmanaged personal devices? 

Access controls such as MFA and VPNs are important safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the..., but they do not secure the device itself. 

When employees use personal devices for business purposes, organisations typically cannot guarantee patching and operating system security, device configuration, or what software is installed. 

This creates risks that sit outside traditional access controls, including: 

• Credential theft through keylogger malware 
• Session tokens being stolen to bypass authentication 
• Exploitation of vulnerabilities in third-party applications, providing a route into corporate systems 

In practice, this means that even well-configured access controls can be undermined by risks at the device level — often without the organisation having visibility or control over the source of the compromise. This is where regulatory expectations become critical. 

Regulator expectations: A risk-based approach to BYOD 

A risk-based approach to security is a global expectation, reflected in legal frameworks such as the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) and international standards like ISO 27001.  

In practice, this means aligning controls to the level of risk each user and their access presents, rather than applying the same model to all users and devices. It requires looking beyond whether controls are in place and assessing whether they remain effective when used on unmanaged personal devices. 

In the context of BYOD, this involves considering who is accessing what data, from which devices, and the potential impact if those credentials were compromised. 

A risk-based approach often results in different levels of access and control depending on the level of risk. For example: 

• Allowing access from personal devices only where accessible data is genuinely low risk, whilst applying stronger controls or restrictions where systems may expose sensitive, personal, or strategic information 
• Requiring managed or compliant devices for users with privileged access or access to sensitive data 
• Applying additional controls or limiting functionality when personal devices are used 

Remember, not all employees carry the same level of risk. Those with privileged access to systems, infrastructure, or sensitive data present a significantly higher impact if credentials are compromised. 

How can organisations manage BYOD risks effectively?

In many organisations, BYOD arrangements have evolved over time rather than through deliberate design. As systems, data use, and threats change, policies can quickly become outdated. 

The focus should be on ensuring BYOD arrangements reflect current risks, rather than historical assumptions. To effectively manage BYOD, you should: 

1. Review BYOD policies
   Ensure policies align with ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). and NCSC guidance and reflect how employees access systems in practice. 
2. Identify high-risk users
   Assess whether personal device access is appropriate for all roles. Apply stricter controls or restrict access to managed devices for users with privileged access to sensitive data.
3. Enforce separation between personal and business accounts
   Avoid shared or linked credentials that increase the impact of a single compromise. 
4. Define minimum security standards and access controls
   Set clear expectations for permitted devices and apply additional controls for access to sensitive systems. Regularly test these controls can withstand current attack techniques. 
5. Review incident response procedures
   Ensure escalation pathways and responsibilities are clearly defined, particularly where personal devices are involved in an incident.
6. Improve staff awareness
   Ensure employees understand the risks and expectations when using personal devices for work. 
7. Monitor and regularly reassess your approach
   Article 32 of the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. requires organisations to regularly test and evaluate the effectiveness of their security measures. This includes assessing whether BYOD remains appropriate, whether associated risks are being managed, and whether existing controls remain effective as threats and working practices evolve. 

Frequently asked questions 

Is accessing work emails on a personal device really a risk?

Yes. Email often contains personal dataInformation which relates to an identified or identifiable natural person., sensitive attachments, and access to other systems. Access from unmanaged personal devices should only be permitted where the data accessible is genuinely low‑risk, and where the organisation can demonstrate that such access still constitutes an appropriate technical and organisational measure.

We use MFA and VPNs — doesn’t that make BYOD secure?

Not necessarily. MFA and VPNs protect access but not the device itself. Compromised personal devices can still be used to bypass controls. 

Do we need to ban BYOD completely?

No. Regulators expect a risk-based approach, which may include restricting BYOD for higher-risk users or limiting access to sensitive systems.

Are approved apps, such as Teams or Slack, on personal devices safe?

Not entirely. Even approved apps can be affected if the device itself is compromised through malware or unpatched vulnerabilities.

Does this only apply to high-risk organisations or specific industries?

No. Any organisation allowing access from personal devices should assess whether its controls are proportionate to the data and risks involved. 

Do you need support with your Bring Your Own Device management? Get in touch and learn how we can help.  

In case you missed it…

• IT equipment disposal: How to stay GDPR compliant 
• AI social engineering attacks: Protect data and stay complaint 
• Privacy Management Platforms: A practical guide for strengthening privacy operations