Security awareness and training policy guidelines to minimise the risk of BYOD in a South African SME

Abstract

Concepts like Bring Your Own Device (BYOD) are not new to organisations. Information technology within organisations is getting more diverse. In line with the latest technology trends and forecasts, mobile device ownership is growing at an exponential rate, with users becoming more and more tech-savvy. This has a huge effect in the workplace, where employees now choose to use their own devices (known as bring your own device/BYOD) instead of company phones and laptops. For most organisations, BYOD is arguably very positive, and its benefits and challenges are well documented in the literature. However, like any other technology trend, BYOD has a dark side. From the South African Small and Medium Enterprises (SMEs) context, there is a concern, especially where BYOD is used to address the lack of technological resources in an organisation. The purpose of this research is to investigate the training and security awareness aspect of BYOD. The research will provide comprehensive literature regarding the challenges of BYOD and security awareness and training, highlight the most important elements that need to be included in the BYOD awareness and training policy to minimise the security risks. The aim is to help SMEs in South Africa, by providing a policy guideline and putting together awareness and training policy for organisations in this sector. An in-depth literature review was carried out to evaluate the extent of coverage for this topic and motivation for the research. To uncover the security awareness, policy elements and challenges, interviews and surveys were conducted to identify relevant questions for online questionnaires. From the academic side, recent literature has started to examine different aspects of BYOD, including awareness. Although there is very limited coverage on this topic for SMEs and, therefore, arguably not effective for measuring the effectiveness of the policy elements, this study took a highly exploratory design, seeking to fill these gaps by exploring how a training and awareness policy can be utilised to educate and create awareness of BYOD security risks and subsequently minimise the risks in SMEs. The findings of the interviews and questionnaires were cross-referenced with the literature to identify the most relevant awareness and training elements that can be used as a guideline to tackle challenges of BYOD awareness and training policies.