As technologies like iPads and smartphones have gotten more popular and user-friendly in recent years, many businesses small and large have instituted so-called “bring your own device” (BYOD) policies. A Gartner survey of CIOs last year found that about half of U.S. employers planned to install a BYOD policy by 2017.

The idea is that employees can use technologies and devices they’re already familiar using at home for work, and the business, in turn, can save money by not having to buy and service workers’ devices. Win-win, right?

Be very careful, data security experts say.

Allowing employees to use their own devices for work poses a data-security threat, particularly to small businesses that already have to worry a lot about data security and breaches. A small business may not have the policies and procedures in place to adequately ensure their workers’ devices are protected against viruses and malware that may steal information. Even if a business can save money by asking workers to use their own devices, they could lose a lot of money, too, if business information is stolen off a workers’ personal device.

“From my perspective, the short-term capital savings from BYOD is easily outweighed by the expense and reputational damage to an organization that’s possible when an employee clicks on malware, a phishing scam or other compromising media,” writes Adam Levin, former director of the New Jersey Division of Consumer Affairs, on Forbes. “Devices are lost (or loaned out). There are too many variables, and any personal device that connects to the company network where sensitive data is accessible has to be considered a liability, be it a phone, tablet or computer.”

Levin offers some advice to small companies that still want to institute a BYOD policy despite the risks:

Train your employees well. Make sure your employees know how to use their devices safely, including using password protection and not downloading free antivirus software that may actually be a virus in disguise.

Set up their devices for them. Don’t assume your employees will take all the security protocols you would expect them to—even if you train them. The business should install the firewalls, licensed software and business encryption software on any personal devices being used for work. No personal device should be allowed to access sensitive business information and data unless it’s been set up with all the right protections and software.

Limit data access. If you’re allowing employees to use personal devices for work, it’s especially important to create policies around who can access company data and information and from which devices. That may include only allowing employees to use work-issued devices to access certain data or only giving a select group of employees access to important data and internal.

Read more articles on BYOD.

Photo: Getty Images