BYOD in Business: How to Protect Your SME When Employees Use Personal Devices
BYOD in Swiss SMEs: A Common Practice with Underestimated Risks
In many Swiss SMEs, it has become common for employees to check their work emails on their personal smartphones, finalize a document on their tablet on the train, or work from their private laptop. This practice has a name: BYOD, an acronym for "Bring Your Own Device."
BYOD has measurable advantages: according to a Cisco study, companies that allow BYOD save an average of USD 350 per employee per year in hardware costs, and employees gain 58 minutes of daily productivity. However, this flexibility hides significant security risks. Unlike company-provided devices, personal devices are not under your direct control: you don't know what applications are installed on them, whether security updates are performed, or whether the device is protected by a strong password.
Concrete example: an employee loses their personal phone on public transport. If this phone contains work emails with customer information, accounting documents, or access to your systems, your entire company may be exposed. A personal device can be shared with other family members, connected to unsecured public Wi-Fi networks, or infected with malware that could spread to your servers.
For a Swiss SME, these risks have concrete and quantifiable consequences:
- Average cost of a data breach: USD 4.45 million globally (IBM Cost of a Data Breach Report, 2023)
- Violation of the nLPD: fines of up to CHF 250,000 for responsible natural persons
- Business interruption: average duration of 21 days after a cyberattack (Coveware, 2023)
- Reputational damage: 65% of customers report losing trust after a data leak (KPMG, 2023)
Step 1: Define a Clear and Understandable BYOD Policy
The first step to securing BYOD is to establish a written usage policy. This does not mean writing a fifty-page document filled with technical jargon, but formalizing simple rules that all your employees can understand and apply.
An effective BYOD policy should cover four essential points:
- Authorized devices: which types of devices can access company data, with what minimum requirements (operating system version, presence of antivirus, etc.)
- Accessible data: what information can be viewed or stored on a personal device, and which is strictly reserved for company workstations
- Responsibilities: who is responsible for the security of the device, and what are the employee's obligations
- Incident procedures: what to do in case of loss, theft, or departure of an employee
A good BYOD policy must also respect the privacy of your employees. If you implement a solution to remotely erase professional data in case of theft, your employees must understand that this will only concern professional data — not their personal photos or private messages.
Key Data: According to the Ponemon Institute (2023), companies with a formalized BYOD policy reduce their risk of data breaches related to personal devices by 60% compared to those that do not.
This policy should not remain in a drawer. Communicate it to each new arrival and remind them at least once a year, for example during a short information session or a memo.
Step 2: Protect Devices with Basic Measures
There are simple and effective protections to implement, without advanced IT expertise. Here are the four fundamental measures:
Device Locking
All personal devices accessing company data must be protected by a PIN code of at least 6 digits, a password, or biometric recognition. The device should lock automatically after 2 to 3 minutes of inactivity.
Security Updates
Operating systems regularly receive patches that fill exploitable vulnerabilities. In 2023, 60% of data breaches involved a vulnerability for which a patch existed but had not been applied (Ponemon Institute). Enable automatic updates or install them as soon as they are available.
Antivirus Protection
Install an antivirus or endpoint protection solution, especially on laptops. On smartphones and tablets, only download applications from official stores (App Store for Apple, Google Play for Android) and check the permissions requested.
Comparison of Basic Protection Measures
| Measure | Difficulty of Implementation | Cost | Effectiveness |
|---|---|---|---|
| PIN/Biometric Lock | Very Low | Free | High |
| Automatic Updates | Very Low | Free | Very High |
| Antivirus (PC) | Low | 20–50 CHF/year | High |
| Official App Stores Only | Very Low | Free | Medium |
Step 3: Separate Professional and Personal Data
To better protect your company's information, implement a clear separation between professional and personal data. On smartphones and tablets, this is done through containerization solutions: a secure and isolated space is created on the device, protected by additional measures, and remotely erasable without affecting the employee's personal data.
Mobile Device Management (MDM) Solutions
| Solution | Hosting | Indicative Price | Strengths |
|---|---|---|---|
| Microsoft Intune | Microsoft Cloud | ~8 USD/user/month | Microsoft 365 integration, complete management |
| VMware Workspace ONE | Cloud or on-premise | On request | Flexibility, large companies |
| kDrive (Infomaniak) | Switzerland 🇨🇭 | From 4.99 CHF/month | Data sovereignty, nLPD compliance |
| Proton Drive | Switzerland 🇨🇭 | From 3.99 EUR/month | End-to-end encryption, open source |
Swiss solutions like Infomaniak's kDrive or Proton Drive are particularly suitable for SMEs wishing to guarantee data sovereignty and compliance with the nLPD, as their data remains hosted on Swiss territory.
On laptops, require a separate user account for professional activities or encourage the use of a browser dedicated to the company's online applications. Also, ensure that your professional web applications are properly secured against unauthorized access.
Step 4: Control Access to Sensitive Data
Not all your employees need access to all your company's data. The principle of least privilege consists of limiting access based on each person's role: a person from the sales department does not need to consult sensitive accounting documents, and vice versa.
This principle is even more critical in a BYOD context, where personal devices are statistically less well protected than company workstations. According to Verizon (Data Breach Investigations Report 2023), 74% of data breaches involve a human element, often related to overly broad access.
Two-Factor Authentication (2FA/MFA): An Essential Protection
Two-factor authentication (2FA or MFA) requires double verification before accessing sensitive data: a password, plus a code sent by SMS or generated by an application. According to Microsoft (2023), 2FA blocks 99.9% of automated attacks on accounts.
Recommended Password Managers
| Solution | Hosting | Integrated 2FA | Price |
|---|---|---|---|
| Proton Pass | Switzerland 🇨🇭 | Yes | Free / 3.99 EUR/month (Pro) |
| Bitwarden | Cloud (open source) | Yes | Free / 10 USD/year (Pro) |
| 1Password | Cloud | Yes | ~3 USD/user/month |
Proton Pass, based in Switzerland, is particularly suitable for Swiss SMEs wishing to combine security, nLPD compliance, and data sovereignty.
Step 5: Regularly Raise Awareness Among Your Employees
Even the best technical solutions are only effective if your employees understand why they are important and how to use them. According to the Verizon DBIR 2023 report, 82% of data breaches involve human error — phishing, weak password, or misconfiguration.
Priority Topics to Cover
- Public Wi-Fi: explain why connecting to Wi-Fi in a cafe without protection is risky, and how to use a VPN to secure connections on the go. For Swiss SMEs, Proton VPN offers end-to-end encryption with servers in over 120 countries, hosted in Switzerland.
- Phishing: show concrete examples of fraudulent emails and the consequences of clicking on a suspicious link.
- Password Management: explain why reusing the same password on multiple services is dangerous.
- Incident Reporting: encourage your employees to immediately report any incident or suspicious situation, without fear of reprimand.
You can organize short awareness sessions (30 minutes per quarter is sufficient), send regular tips by email, or use phishing simulation tools to train your employees in a concrete way. The goal is to create a security culture where everyone feels responsible.
Measurable Result: companies that organize regular cybersecurity training reduce their click rate on phishing emails by an average of 75% (KnowBe4, 2023).
Step 6: Plan for Action in Case of Loss or Theft
Even with all precautions, a device can be lost or stolen. According to Kensington, a laptop is stolen every 53 seconds worldwide. The important thing is to have planned how to react before the incident occurs.
4-Step Emergency Procedure
- Immediate Reporting: the employee informs their manager and the IT department within one hour of discovering the loss or theft
- Access Revocation: immediate deactivation of user accounts and authentication tokens on all platforms
- Remote Erasing: deletion of professional data on the lost device via MDM solutions (Microsoft 365, Google Workspace, Intune)
- Incident Documentation: recording in an incident log to meet the requirements of the nLPD in the event of a proven leak of personal data
A robust backup strategy will allow you to quickly restore the necessary data without depending on the lost device. For companies favoring Swiss solutions, Infomaniak's Swiss Backup offers cloud backup with triple replication in Swiss datacenters, guaranteeing nLPD compliance and optimal availability.
Legal Obligation: the nLPD requires notifying the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible in the event of a data breach likely to create a high risk for the persons concerned.
Call on a Trusted Partner
For a Swiss SME without a dedicated IT team, managing all these aspects internally can quickly become complex. An external partner specializing in cybersecurity like Bexxo can assist you in:
- Defining a BYOD policy adapted to your reality and compliant with the nLPD
- Conducting a security audit of your infrastructure
- Implementing the necessary technical solutions (MDM, 2FA, VPN, backup)
- Training your employees in best practices
- Helping you react quickly in case of an incident
A good partner does not just sell you software. They take the time to understand your business, your constraints, and your real needs, and offer you proportionate, realistic, and applicable solutions on a daily basis.
Summary: Protect Your SME Without Overcomplicating Things
BYOD is a reality in many Swiss SMEs. Completely prohibiting it is neither realistic nor desirable. On the other hand, managing it with clear rules and adapted security measures is essential.
6-Step BYOD Action Plan
| Step | Action | Priority | Estimated Cost |
|---|---|---|---|
| 1 | Draft and communicate a written BYOD policy | Immediate | Free |
| 2 | Require PIN, updates, and antivirus on all devices | Immediate | Low |
| 3 | Implement a containerization or MDM solution | Short term | Medium |
| 4 | Enable 2FA on all professional access | Immediate | Free to low |
| 5 | Train employees (quarterly session) | Short term | Low |
| 6 | Test and document the emergency procedure | Short term | Free |
These measures do not require colossal investments or a radical transformation of your organization. They are based above all on common sense, a little method, and continuous awareness. And if you need help implementing them, do not hesitate to contact our experts who are familiar with the challenges of Swiss SMEs.
Frequently Asked Questions About BYOD in Swiss SMEs
What is BYOD and why is it a risk for my SME?
BYOD (Bring Your Own Device) refers to the use of personal devices for professional purposes. It is a risk for SMEs because these devices escape the company's control: they may not be updated, may be shared with third parties, or may connect to unsecured networks, thus exposing professional data to leaks or cyberattacks.
Is BYOD compatible with the Swiss nLPD?
Yes, provided that appropriate technical and organizational measures are put in place: written BYOD policy, data separation, access control, and notification procedure in case of violation. The nLPD, in force since September 2023, imposes strict obligations for the protection of personal data, regardless of the device used.
What is the first step to take to secure BYOD?
The first step is to draft and communicate a clear BYOD policy: which devices are authorized, which data is accessible, and what procedure to follow in case of loss or theft. This step is free and reduces the risk of data breaches by 60% according to the Ponemon Institute (2023).
Should I choose Swiss solutions for my BYOD?
It is not a legal obligation, but it is strongly recommended for Swiss SMEs processing sensitive data. Solutions like kDrive (Infomaniak), Proton Drive, Proton VPN, or Swiss Backup ensure that your data remains hosted in Switzerland, facilitating nLPD compliance and data sovereignty.
How do I erase professional data from a lost device without affecting personal data?
Thanks to containerization and mobile device management (MDM) solutions like Microsoft Intune or VMware Workspace ONE, it is possible to remotely erase only the secure professional space, without affecting the employee's personal photos, messages, or applications.