Boundaries between personal and work devices are blurring, and employees think they should take some responsibility for data loss or theft, despite ultimate responsibility lying with companies

New research from BAE Systems Detica shows that the boundaries between personal and work devices are blurring - in a typical week almost three-quarters (73%) of office workers now use one or more personal devices, such as smartphones, to do their work; nearly half (45%) use two or more. The online research conducted by YouGov shows, however, that this is not leading to increased security vigilance from staff, thereby increasing the strain on UK businesses’ security operations and their ability to protect their data. 

A third of office employees (30%) do think they should be made directly responsible for data loss or theft, with 44% saying both they and the company should be equally responsible. Only 13% thought it was solely the company’s responsibility.

But despite this, and the increasing use of personal devices for work purposes, a significant proportion of employees are not taking steps to protect the security of their devices. Over one third (34%) of office workers with a personal device have failed to update their personal device security in the last six months, while a further third of those (11% in total) have never installed or updated security for their own devices. Unprotected devices holding sensitive information offer an open goal to cyber criminals looking to extract valuable company secrets. 

The implications of this will be felt most keenly by businesses, especially following recent Information Commissioner's Office (ICO) guidance which clarifies that companies are accountable for the loss of data by their employees, irrespective of whether it was on a personal or work device.1 So, while the boundaries between personal and work devices may be blurring, the responsibility for a security breaches is crystal clear, and lies squarely with the employer.

In addition, it appears that employees underestimate the security threat posed, with half (50%) failing to recognise that unsecure personal devices may potentially make their employer vulnerable to a cyber attack, despite nearly 1 in 5 (18%) experiencing a compromise to their personal device in the past six months.

What is more encouraging is that employees show a willingness to improve security, providing that their employers take the lead.  More than half (53%) would not object to their employer strengthening security for their personal device, compared to just 26% who would object. Employees are therefore willing to engage in the security challenge, but employers need to be proactive.

Yet the online research indicates that companies are not taking advantage of this employee attitude; over a quarter of office workers (27%) claim their company has not outlined any sort of policy on using their personal device for work purposes. 

Vincent Geake, director of secure mobility at BAE Systems Detica, said:

“BYOD policies improve flexible working and allow businesses to be more agile, however if firms fail to protect their employees’ devices, they risk incurring increasing disclosure and financial penalties, not to mention the likelihood of falling victim to cyber attack.

“Our research shows that there is a willingness of staff to engage in the security debate and to share the responsibility for security, but they are really looking for employers to take the lead. Businesses must capitalise on this and educate employees about the risks of using their own devices and non up- to-date security. This is even more pertinent given that responsibility for a security breach involving customer data lies with the company itself and not its staff. 

“The message is clear for employers, engage with your employees and understand the way they want to use personal devices and how this will help your business. Conduct a prioritised assessment of the risk this represents and develop a clear policy explaining how your employees should use these devices and setting out the security measures you need to protect your information. Properly thought through security should provide benefits to your employees without unnecessarily impacting on their enjoyment of their personal devices.”

- Ends -

Media Contacts:

Natasha Davies, Global Head of Media, BAE Systems Detica:
Tel: +44 (0)20 7812 4274
Mobile: +44 (0)7787 297 831

Charlie Eccleshare and Stephanie Noon at Blue Rubicon, on behalf of BAE Systems Detica,
Tel: +44 (0) 20 7260 2700

Notes to editors

  1. Information Comissioner’s Office, Bring Your Own Device (March 2013).
  2. BAE Systems Detica commissioned YouGov Plc to conduct this online research amongst 4283 adults, of which 1897 work in an office. Fieldwork was undertaken in April 2013.
  3. The survey was carried out online. The figures have been weighted and are representative of all GB adults (aged 18+).3. BAE Systems Detica designs, builds and integrates end to end mobile security solutions for government and commercial clients.  We offer carrier-grade cloud-based services for organisations who need to secure smart devices within an existing corporate network and when accessing web services. We protect users and the wider business, their devices, their data and their web applications from increasingly sophisticated security threats.  

About BAE Systems Detica

BAE Systems Detica delivers information intelligence solutions to government and commercial customers and develops solutions to strengthen national security and resilience.

Detica is part of BAE Systems, a global defence, aerospace and security company with approximately 90,000 employees worldwide. BAE Systems delivers a wide range of products and services for air, land and naval forces, as well as advanced electronics, security, information technology solutions and customer support services. For more information, please visit