Home Worker Security: Using Personal IT Equipment Safely

The BYOD Reality in UK SMEs

Many UK small businesses operate with an informal BYOD culture that pre-dates the pandemic — employees have always used personal phones to check work email or their home laptop for the occasional weekend task. COVID-19 accelerated this, and for many organisations the return to formal working arrangements left hybrid and home workers using personal devices as a default rather than an exception.

The security risks of unmanaged BYOD are material. In the 2024 Cyber Security Breaches Survey, 39% of UK businesses identified a cyber attack. Personal devices — often running outdated software, without endpoint detection tools and shared with family members — represent a significantly weaker security posture than managed corporate devices.

The Core Risks of Personal Devices for Work

Outdated Software and Unpatched Vulnerabilities

Corporate devices are typically managed through Microsoft Intune, SCCM or similar tools that push patches automatically and enforce minimum OS versions. Personal devices are patched (or not) at the discretion of the individual. A personal Windows laptop running a version behind on cumulative updates may have known critical vulnerabilities that an attacker can exploit.

Shared Devices

A home worker's personal laptop may be used by a spouse, teenager or child. Family members accessing a device that is logged into work email, cloud storage or a VPN creates obvious risks — accidental deletion, access to confidential client information, or a family member falling victim to a phishing attack using the work-connected browser profile.

No Endpoint Detection

Corporate devices typically run an endpoint detection and response (EDR) agent that monitors for suspicious activity, enforces DLP policies and can be remotely wiped if the device is lost or compromised. Personal devices typically run consumer antivirus (or nothing) with no visibility for the IT team and no remote management capability.

Data Residency on Personal Devices

When employees download files, save emails locally or cache data from cloud applications on personal devices, that data sits outside corporate control. If the employee leaves the business, the device is lost, or the device is compromised, corporate and customer data on that device may be exposed or unrecoverable.

UK GDPR Implications

Under UK GDPR, the employer (as data controller) is responsible for the security of personal data regardless of which device it resides on. If a home worker's personal device containing customer data is stolen and the device was unencrypted, the employer may have a reportable breach to the ICO — even though it was the employee's device, not a corporate device.

This creates a clear obligation for businesses to either provide managed corporate devices or implement controls that bring personal devices up to an acceptable security standard.

Controls for BYOD Home Workers

Mobile Device Management (MDM)

MDM solutions (Microsoft Intune, Jamf, SOTI) can extend management capabilities to personal devices with employee consent. The typical approach is to create a managed work profile on the device that is separate from the personal profile. The IT team can manage the work profile (remote wipe the work partition, enforce encryption, require a PIN) without accessing personal content.

Microsoft Intune is included in Microsoft 365 Business Premium (from approximately £19.70 per user per month) and supports Windows, macOS, iOS and Android devices.

VPN and Conditional Access

Rather than allowing direct access to corporate systems from personal devices, route access through a VPN that enforces minimum device compliance checks before granting access. Microsoft Entra ID (formerly Azure AD) Conditional Access can require that a device be enrolled and compliant before accessing Microsoft 365 applications — blocking access from unmanaged devices or those not meeting security requirements.

Cloud-First Applications

Where possible, keep work data in the cloud rather than allowing local downloads to personal devices. Microsoft SharePoint, Teams and OneDrive can be configured to prevent downloading of files to unmanaged devices while still allowing viewing and editing in the browser. This significantly reduces the data residency risk on personal hardware.

Multi-Factor Authentication

MFA is the single highest-impact control for protecting cloud account access from personal devices. Even if a personal device is compromised and credentials are stolen, MFA prevents attackers from accessing work systems. MFA should be enforced on all work accounts accessed from personal devices — without exception.

Acceptable Use Policy

A clear, written BYOD Acceptable Use Policy sets out what employees are permitted to do with work data on personal devices, the security requirements they must meet (up-to-date OS, no family sharing of work profiles, mandatory VPN usage), and the consequences of a breach. This policy forms part of the organisational measures required under UK GDPR Article 32.

Corporate Devices: The Cleaner Alternative

For businesses where home working is permanent rather than occasional, providing managed corporate devices is often the more practical long-term solution. The cost of a managed laptop (typically £600–£1,500 for hardware plus device management licensing) is offset by the reduction in security risk, the ability to enforce patches and policies, and the clarity of data ownership when the employee leaves.

AMVIA advises clients on both approaches — implementing robust BYOD controls where personal devices are unavoidable, and building managed device programmes for businesses making the transition to a fully managed endpoint fleet.