BYOD Security Risks: Cybersecurity & Compliance Challenges

Cybersecurity and Compliance Risks of Using Company Email on Personal Devices

Many employees use their personal laptops, tablets, or smartphones to access business emails in today’s hybrid workplace. Convenience and flexibility are two benefits of the “bring your own device” (BYOD) trend, but there are significant cybersecurity and compliance issues as well, particularly given the stringent EU laws. Regardless of the technology used, enterprises are required by law to protect sensitive data under regulations like the General Data Protection Regulation (GDPR) and the recently adopted NIS2 Directive. This article by Michelle examines the risks, from phishing attempts and GDPR violations to unauthorised access and data breaches and the compliance issues of using business email on personal devices. It also offers helpful advice for all organisations regardless of the industry. The effects of insufficient BYOD security will be demonstrated through a real-world case study.

EU Regulatory Scopes

GDPR (General Data Protection Regulation)
The EU’s primary data protection law, GDPR, has been in effect since 2018. It requires businesses to take the necessary organisational and technical precautions to protect personal information. This obligation still exists whether the data is handled on an individual’s personal device or a business system. A 2024 German court decision, for instance, affirmed that sending work emails to a private
email account was a blatant breach of GDPR regulations. This was mostly because personal accounts usually do not have the strong security needed to handle sensitive data. Fines for noncompliance can reach €20 million, or 4% of worldwide sales.

The NIS2 Directive
The NIS2 Directive, which was adopted in November 2022, intends to improve cybersecurity in critical and significant industries such as digital infrastructure, energy, healthcare, and finance. It acknowledges that remote and mobile devices are essential components of a company’s security setup. According to NIS2, businesses must incorporate these devices into risk assessments, mandate
24 hour event logging, and put in place a thorough risk management strategy. The consequences of non-compliance are severe; vital entities may face fines of up to €10 million or 2% of their worldwide income.

Additional EU Standards and Guidance
Organisations can consult ISO/IEC 27001 and guidelines from the European Union Agency for Cybersecurity (ENISA) in addition to GDPR and NIS2. These frameworks stress that a stringent BYOD approach must include governance, frequent risk assessments, encryption, and continuous employee training. The essential lesson for EU compliance is that companies are still in charge of protecting
data, even if the equipment is owned by someone else

Key Risks of Using Company Email on Personal Devices

Unauthorised Access and Data Breaches

The strong security measures present in corporate settings are sometimes absent from personal devices. They are more susceptible to unwanted access since they might not have centralised oversight, strong password requirements, or full disk encryption. A data breach could result from the loss or theft of a personal device, which would reveal private company emails and files. Any such breach is required under GDPR to be disclosed within 72 hours, and the consequences may include
severe penalties and harm to one’s reputation.

Phishing and Malware Attacks

Comparing personal devices to corporate managed systems, a personal device usually has less advanced antivirus and email screening. They are, therefore easy targets for phishing attacks, in which a single click on a malicious link can jeopardise company credentials and allow for more attacks to happen. Infections using malware on personal devices have the potential to spread rapidly
to more extensive network intrusions, particularly if they use cloud synced data or unprotected VPN connections.

Compliance Violations and Legal Risks

Accessing your business email on personal devices can result in serious compliance problems. Regardless of device ownership, enterprises are required under GDPR to make sure that data is processed and stored securely. Articles 5(1)(f) and 32 of the GDPR directive may be violated by the company if an employee downloads private client information onto an unencrypted personal device
and that device is later obtained. In addition to complicating data retention policies and making it more difficult to fulfill Data Subject Access Requests, this lack of control over personal devices may also lead to further regulatory penalties.

Case Study: Data Breach at Eir (Ireland)

An unencrypted laptop belonging to an employee was stolen from outside one of Eir’s offices in 2018, resulting in a serious data breach for the Irish telecom company. Names, email addresses, phone numbers, and account numbers of 36,642 consumers were among the private customer information on this device. Despite Eir’s swift notification of the breach to authorities within the 72- hour period mandated by GDPR, the event highlighted the dangers of insufficient BYOD security.

What we can learn from the Eir Incident:

• Device Encryption Is Essential: The laptop was compromised due to a software error that left it unsecured. Strong encryption might have kept private information safe.
• Policy and Awareness: The incident raised questions about data handling practices. Organisations should limit the local storage of large datasets on portable devices and ensure that employees understand the risks.
• Incident Response: Eir’s prompt disclosure of the compromise prevented additional repercussions, highlighting the significance of having a strong incident response strategy in place.