Bringing Your Own Device – The Risks
In the first of two opinion pieces, Amethyst's Kevin Sloan considers the risks of bringing your own devices into the workplace
More and more business are allowing staff, and contractors, to use their own smartphones, tablets and laptops for work purposes.
This can be tacitly; for instance, by staff programming in corporate email settings and bringing their kit and attaching to open WiFi hubs, or as part of a deliberate exercise. Either way, businesses need to ask if all the risks been factored and considered first. Often these initiatives come ‘from the top down’ and security is consulted as an afterthought.
In the rush to not look stick-in-the-mud, it often gets overlooked that there were very sensible reasons for only allowing access to business data from company procured and controlled devices: those within the business get to decide how these things are set and run.
As will all matters security, the key starting points need to be 1) awareness of the risks, and 2) sensible approaches to risk management. Plus, more than any other issue, this has direct legal consequences. If the business loses control of its information, there could be dire results.
The key risks you need to be aware of:
You can lose control of business information: it can be read and processed on devices of which you have reduced level of control, therefore you also lose control over the information
If your policy forbids it, that does not mean it is not happening: modern devices have novel functions to ease integration with public and private networks - you may need to re-evaluate your current IT to see if there it unexpected access of this type
Classical approaches do not work: there may be limits to how far you can go in controlling these assets, after all they are not owned by the business (e.g. can you legitimately do a complete ‘remote wipe’ of an employee’s phone?)
There are non-security risks as well: how do you go from a situation in which IT supports a narrow set of devices, to one where a full eco-system of all-comers devices need to be catered for (Windows/Android/Blackberry/Linux)?
There are no magic bullets or perfect solutions here: by adopting permissive Bring Your Own Devices (BYOD) policies, you have to accept more risk. It is important to evaluate the risk and provide sensible and effective controls, and to police those controls and continually assess that they work. It is very important that you input your unique local requirements into this assessment, and that you do not implement at haste and keep security engaged from the outset.
You need to look at risk controls in the following areas:
Policy – engage legal, HR, security and IT functions to develop a policy that works. There will be cases for which BYOD can be allowed, others for which it can’t
Agreements and Procedures – ensure there are rules that are clearly documented for exactly how BYOD will operate, with a conditional formally signed-up agreement for employees (this may establish rights of the company to, locally or remotely, wipe business data off any leaver’s device)
Training and Education – ensure that BYOD end users are aware of the risks, not just of business use of their devices, but private as well (your company apps may well have to sit alongside personal apps and games)
Technology – it is important to add some key technologies to your IT boundary; this can include Virtual Private Networking, Network Access Control, Mobile Device Management, Information Rights Management, application proxies, virtual desktops and WiFi firewalls to provide a robust interface to your business information
Monitoring and Incident Management – you need to make the commitment to police and manage BYOD access (both legitimate and illegitimate) on a continuous basis. You also need to be able to respond more quickly and more effectively than ever to any incidents involving BYOD (expect there to be losses and thefts).