How to defuse the BYOD bomb without going nuclear
The proliferation of personal devices in the workplace poses serious security challenges for organisations.
The proliferation of personal devices in the workplace poses serious security challenges for organisations. The ‘nuclear option’ of imposing an all-out ban is not the only way to neutralise the potential threat from ‘bring your own device’ (BYOD).
History shows that prohibition is rarely the most effective way to put an end to any ubiquitous and favoured practice. Not only is a ban difficult to monitor and enforce, but any policy of zero tolerance will spawn workaround attempts that can present even greater dangers.
For many organisations, there is another more practical way to subdue the BYOD goliath without killing off all employee freedom to use preferred devices for work – the answer lies in supporting BYOD working, with a combination of robust policy and technology to protect data and avoid legal complications.
There are alternative approaches that fall somewhere between supporting BYOD and banning it altogether. Organisations may be able to deter BYOD by improving corporate equipment: an option that comes at significant cost and still won’t satisfy everyone. Or, they may opt for a different model of provision such as ‘corporately owned, personally enabled’ (COPE) with some flexibility to ‘choose your own device’ (CYOD).
It is always worth looking at people’s motives for bringing their own IT to work: users may be frustrated with poor performance of low-spec corporate devices. If so, providing good IT with a great user experience could be the answer.
The bottom line is that some employees like using their own devices. It is two years since research showed 60% of people in the UK used personal devices for work, more than half of UK homes had a tablet, and smartphones were the number one choice for getting online.
With personal devices being so pervasive and the line between work and home life becoming increasingly blurred, ultimately the most practical approach to the threat posed by BYOD is to manage the practice effectively and securely.
When an organisation supports BYOD working, it assesses and addresses the risks. BYOD by stealth is much more treacherous.
How to support safe BYOD working
The main concerns with BYOD are around data security and increased support overheads so you need to recognise and understand the challenges and work with employees to manage the risks.
When employees use corporate hardware to access office information, it is relatively simple to limit file sharing and internet use. Yet when personal devices are introduced, organisations lose control. The user might own the device, but it is the employer who has legal responsibility for any work data on it, including any personal data about employees and consumers.
As a data controller, the employer must ensure that “appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data.”
While loss of personal data may result in legal proceedings and fines, losing corporate data can be just as damaging, as organisations might face consequential damages, brand damage and lose business.
The data controller must consider these questions:
- Can a personally-owned device be effectively managed by the organisation for the complete duration of its access to company material?
- What are the implications if a non-company-owned device is lost or stolen?
- How do we manage the risk of corporate information being shared inadvertently, for example by automatic syncing to Dropbox accounts on shared personal devices?
While it may appear cost effective for employees to take responsibility for their own devices or supplement corporate equipment with their own, managing this enlarged ecosystem effectively can be difficult.
The more manufacturers, models and platforms involved, the more complicated management becomes. Devices must be able to access corporate – sometimes proprietary – systems and compatibility issues can be challenging. All of this must be factored into application planning.
Policy and technology in tandem
IT policy must be clear and practical, properly communicated, and in line with legislation. There is a significant amount of official guidance available from the Government and the ICO on how best to implement BYOD policies:
- Try to keep red lines to a minimum so they can be readily understood and enforced; define which sensitive business and client data is ‘off limits’ for BYOD.
- Encourage good practice – for example, ensure sensitive information is centrally stored and accessed through a secure virtual desktop or thin client, rather than placing it on network drives where it could be copied to BYOD or uploaded to storage sites.
- Back up your BYOD policy with robust practical processes – for example, introduce easy ways for colleagues to share information securely.
- Make sure you can enforce the policy – for example, by being able to audit the data stored on devices.
- Use technology to support your policy – for example, could the IT team revoke access to business systems if a device were lost or stolen?
- Finally, don’t just turn a blind eye to BYOD use; acknowledge it and set limits.
With the right policy and technical measures in place, organisations can protect themselves, their employees, and their data from the risks associated with BYOD.
Author: Adrian Dain, Principal Consultant at Mason Advisory – published in Infosecurity Magazine.