Bring Your Own Device (BYOD) is a relatively recent trend (c. 2009) in behaviour where employees use their own mobiles, iPads, and laptops at work, for work. The drivers for BYOD are often to do with convenience but also because the technology individuals own is often more advanced than the hardware your average IT department would deploy. Many IT departments struggle to keep right up to date with every aspect of the latest technology, and an ever-increasing amount of people (e.g. millennials) are now more likely to be IT ‘self-sufficient’.
While in some industries BYOD has been common practice for some time, in others it’s only just gaining traction. This is causing business leaders, information security professionals and IT support a few sleepless nights. While there are clear benefits for promoting BYOD working for most companies and organisations, there are also risks that can have serious implications for IT security, data protection and compliance.
Benefits of BYOD
There are plenty of upsides to BYOD. It can bring employees increased satisfaction through better and easier access to corporate data, emails, and grant the flexibility they need to use the Cloud to get work done; particularly when working remotely.
Likewise, for an employer, BYOD can bring a subsequent increase in productivity, as well as reduced hardware costs, licencing fees and resource needed for carrying out maintenance.
However, it could be argued that the sheer number of downsides relating to BYOD mean that your business or organisation could be allowing additional risk factors into your corporate infrastructure.
What are the biggest risks of BYOD?
Here, we look at the key risks organisations should be aware of when it comes to BYOD:
1) No BYOD policy exists
Perhaps the biggest risk factor of all. All organisations should have a BYOD policy in place to protect themselves against being exposed to an attack through, for example, a virus or a hacker – both of which could lead to both financial or legislative penalties and reputational damage. An effective BYOD strategy will enable your IT department to secure both the devices and the data.
2) Complex security issues
Security issues will often clash with the overall convenience BYOD can bring. These include:
- Data loss through physical loss or theft of the device, or through ‘cross contamination’, where corporate data may be accidentally deleted due to the fact it can be so intertwined with the user’s personal data.
- Data leakage through the device not being adequately secured
- Local exposure – where data being transmitted is not subject to the right controls
- Public exposure – unacceptable use of a personal device by a family or friend, or a vulnerability through public Wi-Fi usage and connecting to personal networks – including the use of Bluetooth.
- Malicious and rogue apps – downloaded to a personal device and not pre-approved / controlled by IT to protect the user.
- An increased vulnerability to insider attacks due to the inherent use of an organisation’s local area network.
3) Definite privacy issues
Due to the fact that employees’ BYODs will naturally be accessing a number of different platforms, servers and networks during the course of a working week, their employer could also legally access them.
It can all seem a bit ‘Big Brother’ when you start to realise that your organisation has the potential ability to read private emails, messages, and access other personal data. There’s a fine line, though most experts agree that employers aren’t really interested in individuals’ personal lives; they just want to ensure that company data and systems are effectively secured.
How do you counteract the risks caused by BYOD?
The ideal scenario for both employees and the organisation is that your IT department has secured all organisational and employee-owned devices appropriately, that mobile applications have the right controls applied, and that corporate and personal data is not subject to leakage or security threats.
Underpinning this is the presence of:
- A comprehensive BYOD policy, including pairing solutions which work well together in tandem, such as Next Generation Network Access Control (NAC) and Mobile Device Management (MDM) for example
- Your IT capability extending to 24/7 monitoring to identify potential threats – with the ability to respond to any incidents ‘intelligently’ through disaster recovery and back-up procedures
- IT solutions which embody rules which are practical, yet not too intrusive. This could include the ability to remotely wipe data, or device tracing (e.g. in case of theft or loss)
- An effective Data Loss Prevention (DLP) strategy which is built with effective rules to ensure that commercially sensitive data is not sent outside of the internal network
Occasionally, you may come across a ‘rogue’ employee, who either pays no mind to general policies and conduct rules or just thinks that they simply know better. Effective internal training to upskill and educate staff on topics such as data security, identity fraud and cybercrime can work wonders in turning behaviours like this around.
Successfully mitigating against BYOD risks means that your workforce will ultimately benefit from gaining increased working mobility and flexibility, and your business needs not fear its IT security being compromised via BYOD.
To find out more about how we’ve supported clients with their BYOD policies, read our case study on Dutton Gregory. This solicitors firm needed to give their partners and staff the ability to work remotely from different sites, but also balance compliance regulations and their clients’ concerns over data protection. We enabled them to get the benefits of a more mobile workforce and BYOD, without compromising sensitive data. Read our case study here.