Up to 84% of organisations globally practise bring your own device (BYOD) in some form, but only half of them officially allow it, according to a recent report.

While the convenience and cost saving of employees’ using their own personal devices for work is undeniable, there are many security risks involved too, particularly in hybrid and remote work environments, asserts Anna Collard, senior vice-president: content strategy and evangelist at KnowBe4 Africa.

It’s becoming increasingly common for organisations to expect employees to use their own personal devices for work, such as smartphones, tablets and laptops, and employees seem to prefer the level of freedom it gives them. From an organisational perspective, they stand to save an average of R5 000 per employee every year if their employees use just their own mobile devices, with two-thirds reporting that it boosts their productivity.

In South Africa, this trend has also become ubiquitous. “BYOD, particularly with smartphones having access to corporate email accounts, has become the norm for a lot of South African organisations for many years already,” asserts Collard.

“While organisations in the financial services sector will have stricter policies, many start-ups, SMEs and even some larger organisations often allow, or even expect, employees to use their own phones and laptops, sometimes without formal policies in place.”

While flexible and convenient, she believes this informal approach introduces significant cyber and compliance risks. The new KnowBe4 Africa Human Risk Management Report 2025 highlights that up to 80% of employees in Africa use personal devices for work, with broader studies finding 70% of these devices are unmanaged – a critical blind spot for many organisations.

 

BYOD blind spots

The most notable cybersecurity risk associated with BYOD is data leakage. “Personal devices can easily leak sensitive data through unsecured apps, cloud storage or public WiFi,” she explains. “Without proper controls, even a misplaced phone can become a breach vector.”

Another security blind spot is employees downloading malicious apps. “Employees may unknowingly install apps that contain malware,” Collard comments. “Some apps mimic legitimate ones, but secretly harvest data or open backdoors into corporate systems.” This also extends to “shadow IT” – the use of unapproved applications or services – which can proliferate via personal devices, creating unmonitored entry points for attackers.

A further risk is outdated software. “Personal devices may run outdated operating systems or apps, making them vulnerable to known exploits,” she says. “IT teams often lack visibility to patch non-managed devices, and a large percentage of people have ‘an update is ready to be installed on your device’-notifications that have been hanging around for ages; unactioned.”

In addition, many employees may have a false sense of security about their phone or laptop, especially since almost half of Gen Z respondents (48%) take cybersecurity protection on their personal devices more seriously than on their work devices, according to an Ernst & Young survey in the US. “Just because it’s my device doesn’t mean it’s secure for sensitive work data,” stresses Collard. “A weak BYOD policy opens the door to data leaks, shadow IT and insider risk.”

 

What organisations should do

In order to mitigate these risks, organisations need to come up with a robust BYOD policy. “It starts with policy and awareness,” she states. “Organisations must have a clear, communicated BYOD policy – what’s allowed, what’s not and what minimum protection is expected.”

Some useful technical controls include employees having strong passwords, multifactor authentication (MFA), encryption, endpoint security and patching. Organisations can also segment their networks to isolate personal devices from critical corporate assets. “Mobile Device Management (MDM) tools can enforce some controls,” concedes Collard, “but they can’t replace human vigilance.”

She is a firm advocate of security awareness training to heighten awareness of cybersecurity risks, especially among younger employees who are more likely to use the same passwords for their personal and professional accounts. “Organisations need to educate employees on the specific risks of BYOD, beyond  ‘don’t click links’,” she says.

This is crucial, as 96% of organisations believe their employees might fall for more attacks in the future due to AI use by bad actors.

The KnowBe4 Africa Human Risk Management Report 2025 further highlights that AI policy remains a governance blind spot in many organisations, with 46% still developing formal AI policies – making employee education on AI-related BYOD risks even more critical.

“Organisations can simulate attacks that leverage BYOD vulnerabilities, such as phishing specific to mobile apps, while fostering a culture where employees feel comfortable reporting potential incidents on personal devices without fear of reprisal.”

Alongside security training, Collard is an advocate of digital mindfulness, which she describes as an important  weapon against cybersecurity threats. “Being digitally mindful helps employees slow down, become aware of risky moments and question suspicious behaviour, especially on personal devices,” she says.

 

Managing the human element

Even though privately-owned devices may appear to be the problem, managing the human element is absolutely key in mitigating BYOD security risks. “A device is just a tool; what matters is how we use it,” Collard emphasises. “You can have the most secure set-up, but if someone is rushed, tired or emotionally triggered, they’re more likely to click on a malicious link or fall for a scam.”

She is adamant that organisations need to train their employees’ attention and awareness to build resilience, not just rely on tools. “Ultimately, it’s a combination of the right technology and human vigilance,” she concludes.