Is bring your own device an institutional information security risk for small-scale business organisations?

The use of employees´ own mobile devices, under the pretext of `bring your own device´ (BYOD), to access vital information assets has far reaching implications for an organisation´s information security. BYOD is a potential solution to information technology budget constraints and also a means to increase employee satisfaction regarding the usage of one´s own devices at the work place. This practice challenges the conventional philosophy that only an organisation´s devices should be used to access critical organisational information. However, BYOD practice has security concerns associated with it. An organisation that adopts BYOD may find it difficult to account for and manage the various devices employees may use, and control how those devices are used. There are fears that some small-scale organisations may adopt the BYOD strategy too soon placing themselves and their data at risk. BYOD could be an additional security problem which an organisation has to contend with. This paper acknowledges the positive contributions that BYOD could make to organisations. It also discusses the bases on which BYOD could be treated as an institutionalised information security risk for many small-scale organisations which adopt it. The purpose of this paper is to critically analyse and assess both the benefits and risks associated with BYOD that may militate against its adoption by small-scale organisations in emerging economies. The paper also seeks to establish whether BYOD is an institutionalised information security risk or not.