Blog, Uncategorized

Why Letting Employees Use Personal Devices for Work Could Be a Costly Mistake

Posted on by Sarah Haopshy

As remote and hybrid work become more common, many businesses—especially in healthcare, accounting, and other professional services—allow employees to use their own devices to access company systems. This arrangement feels flexible and cost-effective… until it results in a breach.

Here’s why unmanaged “Bring Your Own Device” (BYOD) access is a serious threat—and what real-world breaches teach us.

  1. Lost or Stolen Devices = Data Breaches

Case in point: In 2020, Lifespan Health System in Rhode Island was fined over $1 million after an employee’s unencrypted personal laptop, used for work, was stolen from a car. That device contained over 20,000 patients’ protected health information (PHI). Because there was no encryption or tracking on the device, regulators determined the company lacked appropriate BYOD safeguards (source: HIPAA Journal).

  1. Malware & Phishing Love Personal Devices

Employees are more likely to check work email on personal devices while multitasking, making them easier phishing targets. A 2023 report from Verizon showed that 74% of all data breaches involved the “human element,” and phishing on personal devices played a significant role in remote work-related attacks.

  1. SMBs Are Prime Targets

Don’t think “we’re too small” to be targeted. In 2024, a small Midwest accounting firm (about 50 employees) had over 127,000 client records, including Social Security numbers, stolen during a cyberattack. While the exact entry point wasn’t revealed, these attacks often stem from personal laptops or remote logins lacking proper protections.

According to a 2023 Ponemon study, 68% of organizations experienced breaches directly tied to unsecured endpoints, such as employees’ personal laptops and phones.

  1. Compliance Penalties Are Costly

The financial industry is also cracking down. FINRA fined multiple firms—and even individual brokers—for using personal phones and messaging apps for business communication, a direct violation of data retention and supervision requirements. In one case, a $40,000 fine was issued to a single rep in 2023.

  1. No Visibility = No Control

Without mobile device management (MDM) or endpoint monitoring, your IT team can’t track, manage, or wipe data from personal devices, leaving a gaping security hole.

Quick Stats to Keep in Mind:

  • 67% of companies have suffered a breach due to BYOD use (JumpCloud, 2023)
  • 93% of lost/stolen devices contain sensitive company data (Bitglass)
  • Healthcare data breaches caused by lost or stolen devices account for 68% of non-hacking incidents (Bitglass/OCR)

What’s Next?

If your team is accessing EMRs, file shares, SharePoint, Teams, or other sensitive platforms from personal devices, it’s time to evaluate the risk. The next post will walk through secure BYOD policies and solutions—but awareness is step one.

Need help reviewing your current remote access practices? Let’s talk.