Uncovering the cybersecurity risks of personal devices in the workplace

As the hybrid work model continues to reshape workplaces across South Africa and beyond, Bring Your Own Device (BYOD) has transitioned from a mere perk to a foundational practice for countless organisations.

While the convenience and cost-effectiveness of using personal devices such as smartphones, tablets, and laptops cannot be overstated, this evolving trend is also opening doors to significant cybersecurity vulnerabilities that many companies have yet to adequately address.

A recent report, the KnowBe4 Africa Human Risk Management Report 2025: The Human Element in African Cybersecurity, highlights these pressing concerns.

The study gathered insights from 124 cybersecurity decision-makers across 30 African nations, unveiling that around 80% of employees in Africa use personal devices for work. Alarmingly, 70% of these devices remain unmanaged, which heightens the cybersecurity risks that organisations face.

The findings in the report call on African cybersecurity leaders to build deeper resilience, not just by investing in technology, but by elevating the human element of security through structure, governance, and tailored behavioural interventions.

“The human layer is not a flaw to fix, but a frontier to strengthen. Awareness is only the beginning. The future of Africa’s cybersecurity depends on the actions that follow,” it said.

Anna Collard, senior vice president of Content Strategy and Evangelist at KnowBe4 Africa, said BYOD, particularly with smartphones having access to corporate email accounts, has become the norm for many South African organisations for several years.

“While organisations in the financial services sector often have stricter policies, many start-ups, SMEs, and even some larger organisations often allow, or even expect, employees to use their own phones and laptops, sometimes without formal policies in place.”

According to Collard, this informal approach to personal devices introduces significant cyber and compliance risks as unmanaged devices are a critical blind spot for many organisations.

“Personal devices can easily leak sensitive data through unsecured apps, cloud storage, or public Wi-Fi,” she said, adding that without proper controls, even a misplaced phone can become a breach vector.

Another security blind spot is employees unknowingly downloading malicious apps that contain malware, she said.

“Some apps mimic legitimate ones, but secretly harvest data or open backdoors into corporate systems.”

She said the use of unapproved applications or services, known as “shadow IT”, can spread through personal devices.

This creates unmonitored entry points for attackers, posing a significant security risk.

Collard said another risk is outdated software, where personal devices may run outdated operating systems or apps, making them vulnerable to known exploits.

“IT teams often lack visibility to patch non-managed devices, and a large percentage of people have ‘an update is ready to be installed on your device’ notifications that have been hanging around for ages; unactioned.”

Collard warned that a weak BYOD policy opens the door to data leaks, shadow IT, and insider risks.

She advised that organisations need to come up with a robust BYOD policy and awareness to mitigate these risks.

“Organisations must have a clear, communicated BYOD policy – what’s allowed, what’s not, and what minimum protection is expected.”

Collard said organisations can implement several technical controls, such as strong passwords, multifactor authentication (MFA), encryption, endpoint security, and regular patching.

Network segmentation is another useful control, allowing organisations to isolate personal devices from critical corporate assets.

She warned that Mobile Device Management (MDM) tools can enforce some controls, but they cannot replace human vigilance.

“Organisations need to educate employees on the specific risks of BYOD, beyond ‘don't click links’.”

This is crucial, she stated, because 96% of organisations believe their employees might fall for more attacks in the future due to AI use by bad actors.

The report also found that AI policy remains a governance blind spot in many organisations, with 46% still developing formal AI policies, making employee education on AI-related BYOD risks even more critical.

“Organisations can simulate attacks that leverage BYOD vulnerabilities, such as phishing specific to mobile apps, while fostering a culture where employees feel comfortable reporting potential incidents on personal devices without fear of reprisal.”

The report found that North Africa leads in BYOD usage but falls short in training frequency, raising operational risks.

Meanwhile, Central and West Africa face the highest security incidents linked to human factors, highlighting the urgent need for enhanced mitigation strategies.

Southern Africa excels in training but struggles with AI policy development, revealing a critical gap in proactive governance.

Collard noted that digital mindfulness is an important weapon against cybersecurity threats.

“Being digitally mindful helps employees slow down, become aware of risky moments, and question suspicious behaviour, especially on personal devices.”

Even though privately-owned devices may appear to be the problem, managing the human element is absolutely key in mitigating BYOD security risks, said Collard.

She said a device is just a tool; what matters is how we use it. “You can have the most secure set-up, but if someone is rushed, tired, or emotionally triggered, they’re more likely to click on a malicious link or fall for a scam.”

Based on the report, African organisations need to embed resilience into every layer of their operations, especially the human layer. The report makes the following recommendations:

1. Tailored Training: Move beyond generic training programmes. Cybersecurity education should be customised to each employee's role and their specific risk exposure, especially in industries with diverse risk profiles. 
2. Meaningful Measurement: Establish clear metrics to assess training effectiveness. Go beyond simple participation rates. Consider incorporating data from security proficiency surveys, culture assessments, phishing simulation results, and incident reporting trends. This approach helps justify budget allocation and pinpoint areas needing improvement in workforce readiness. 
3. Clear Incident Reporting: Employees need explicit guidelines on how and when to report potential security incidents. Crucially, they must trust the reporting process. This requires clear and easy-to-follow reporting paths, immediate feedback, regular phishing simulation tests, and strong executive support. 
4. Bridging the AI Governance Gap: Develop and enforce policies governing AI usage, particularly generative AI tools. While AI offers significant advantages, without proper oversight, it can become a serious security vulnerability. 
5. Region- and Sector-Specific Strategies: Cybersecurity strategies must be adapted to local contexts. What proves effective in East Africa may not be suitable for Central Africa. Strategies should consider the unique regulatory, cultural, and operational characteristics of each region.

Have thoughts on this topic or other subjects you’d like us to explore? Want to share your experiences? Reach out to me at karen.singh@inl.co.za – I’d love to hear from you!