How to Run BYOD Without Creating a Security Headache

Your receptionist takes a call on her personal phone and books an appointment through the practice management system. Your associate checks their work email from home on a personal laptop. Someone accesses the shared drive from their own tablet between client sessions. None of this was planned. It just happened, gradually, because it was easier. And now you have staff using personal devices to access business data, with no clear rules about what that means or what happens if something goes wrong.

This is BYOD - bring your own device - and it is more common than most business owners realise. According to Microsoft, personal and employee-owned devices now make up a significant share of the endpoints connecting to business networks. The appeal is obvious. Buying phones and laptops for every staff member is expensive. Asking people to carry two phones is annoying. Letting people use their own devices seems like a sensible middle ground. The problem is that without some basic structure around it, BYOD quietly becomes one of your biggest security risks for your business.

The core issue is visibility. Most business owners cannot tell you which personal devices are currently accessing their systems, what company data might be sitting on those devices, or whether those devices have had a security update in the past six months. If a staff member's personal phone is lost or stolen - and it has work emails and saved passwords on it - that is a potential breach under the NZ Privacy Act 2020. You may have no way of knowing it happened, and no way to act on it.

Getting this right does not require banning personal devices. It requires a few practical measures. A written BYOD policy sets the rules clearly - what devices can access what data, what employees are expected to do, and what compensation looks like if they are using personal kit for work purposes. That policy needs to stay current. An outdated policy is treated by staff the same way they treat an expired form - ignored. Business calls made from personal phones are worth solving with a VoIP app that routes calls through a business number, so clients never end up with a staff member's personal mobile saved in their contacts. And when staff leave, there needs to be a proper offboarding checklist that includes revoking access, removing business data from personal devices, and deauthorising those devices from your network.

The part that makes all of this manageable is endpoint management - software that lets you push security updates to any device connected to your systems, enforce basic security settings, and remotely wipe business data if a device is lost, without touching the employee's personal photos or apps. It sits in the background and handles the things that would otherwise fall through the cracks. Strong password and MFA practices on every device are also essential, since personal devices are far less likely to have these enforced by default.

If your business has staff using personal devices for work and you have never formally addressed it, the place to start is an honest look at what devices are connecting to your systems and what data they can reach. That is not a small job to do on your own, but it is exactly what a managed IT provider should be able to walk you through. Managed IT support for professional services businesses typically includes endpoint management as a core part of the service, so this kind of thing is handled as a matter of course rather than left to chance.

ITstuffed works with professional services businesses across Canterbury on exactly this kind of issue. A 15-minute IT Fit Check is a good way to find out whether your current setup has gaps worth addressing.