This in-depth look at BYOD and its increasing use in the workplace gives a great overview of what every company needs to consider when thinking about implementing a BYOD scheme. Whilst for many, security remains an issue, with strong policies and MDM software, BYOD is now completely manageable.
Bring your own device (BYOD) describes a situation where employees use their personal computing devices in the workplace. It’s employees using smartphones, tablets, netbooks etc., to access business enterprise content or networks.
BYOD also takes in software and services, as employees use cloud resources and other tools on the web in order to connect to the company intranet.
Benefits of BYOD
Familiarity with their own equipment, and the option to work flexible hours can lead to improved job satisfaction and increased efficiency for employees. As workers explore the technical capabilities of their phones and PDAs, organisations can reap the benefits of employee collaboration, through greater productivity and creativity.
BYOD can also provide cost savings. These range from initial capital expenditure, to on-going usage and IT helpdesk support, as employees invest in their own devices. Through extensive Wi-Fi networks, workers have access to back office infrastructure, regardless of their location.
In today’s offices, BYOD is fast becoming the norm, rather than the exception.
Allowing employees to use their own devices to access company information gives rise to a number of issues.
Primarily, the employee owns and, to some extent, maintains and supports the device. As such, management will have much less control, in comparison to equipment owned by the company.
In order to address this, companies need to enforce security policies at a device level, and protect intellectual property and customer details if that device is ever lost or stolen. Breaches of customer data can significantly affect trust and business relationships, which take time and effort to rebuild. It can also lead to large fines being imposed on a company that doesn’t enable encryption on the employee device.
To comply with its data protection obligations, a business must have answers to some critical questions.
· Who owns the device? In the past, the company owned the devices. With BYOD the devices are owned by the user
· Who manages the device? Today it could be either the company or the end user
· Who secures the device? Bearing in mind that the data carried on it is company-owned. Just because they personally own the device, a user can’t escape some accountability for this.
As an employer, you’ll need to address these BYOD issues before enabling employees to bring their own devices to work. For example, by:
· Ensuring that work data won’t be merged with an employee’s personal data
· Ensuring that non-employees (such as family members who use the device) do not access work data
· Setting protocols for what happens when an employee loses a device or resigns.
Plugging the Leaks
Sensitive company data could find its way onto employee-owned devices in any number of ways. The following are most common:
1. When an employee adds his or her company email details to a smartphone. A personal device is now storing sensitive corporate data, as well as all the employee’s private information. If it’s an iOS or Android device, the employee will probably synchronise it with their personal computer.
2. Google Docs, file-sharing services like Dropbox, and the apps that work with them, such as Documents To Go or Quickoffice, represent another risk. Such services are sometimes blacklisted in BYOD set-ups.
3. Text and instant messages may contain sensitive information that could be unwittingly stored on a mobile device – especially if an attachment is involved.
4. Employees will often copy business information directly from a desktop or laptop to a smartphone. A convenient way to collaborate on the move but of course, it also loads the mobile device with potentially sensitive data.
5. With many handheld devices supporting VPN software, remote access to corporate networks is increasingly common. Once connected via a VPN, a smartphone becomes a node on the internal network (with all the rights and privileges of its user), making it easy to copy sensitive data to the phone’s hard drive.
6. Many users don’t protect their phones with a PIN or password. All the information on the device is exposed to anyone who picks it up. And if the device supports remote access, the data on corporate servers may be vulnerable, too.
If it hasn’t already, your company’s acceptable use policy must be updated to embrace smartphones and tablets. You’ll need a clear BYOD policy, so employees connecting their devices to the company IT systems clearly understand their responsibilities.
Employees should be made to understand that their personal data (such as bank details, logons and private emails) needs to be secure – as does the business information on mobile devices.
An audit should be carried out on the types of personal data to be accessed, and the specific devices to be used.
A policy should also clarify who owns the data on the consumer devices, and what the users’ responsibilities are. It should require users to:
· Register their personal devices before using them for company business
· Notify the company if devices are lost or stolen
· Protect their devices with a secure password
· Only access the company network using an approved method, such as a VPN
· Install (and regularly update) security software, like antimalware and remote-wipe applications
You may also want to restrict the sensitivity of information that employees can access on their devices. This is especially true if you have protectively marked data.
A multidisciplinary team should be formed to develop a co-ordinated BYOD policy. This should include IT, human resources and legal. Their aim should be to identify business objectives and benefits, while taking into account security, audit and data protection requirements.
A blanket ban on personal devices is unlikely to work. Employees may simply go underground – ending up unmonitored by your security policies.
The challenge your security officers face is to implement BYOD policies while reassuring your employees that Big Brother’s only watching in a benign way. They’ll be more willing to use their personal devices within the rules you set for them.
A BYOD agreement checklist (PDF) from the Security for Business Innovation Council recommends the following:
- · Ensure that end users are responsible for backing up personal data
- · Clarify lines of responsibility for device maintenance, support and costs
- · Require employees to remove apps at the request of the organisation
- · Disable access to the network if a blacklisted app is installed, or if a device has been jail-broken
- · Specify the consequences for any violations to the policy
The mobile device management (MDM) market offers many integrated and standalone tools to manage sandboxed enterprise applications, corporate data containers, and secure web browser environments.
Some MDM products can be configured to collect and display location and call histories from corporate devices, but not BYODs. Such options emerged in response to privacy regulations and concerns across international boundaries.
By providing safeguards against the deletion of personal data from apps or content, MDM allows a company to extend BYOD to a much larger audience.
Many employers are reluctant to allow BYOD as a convenience, as they discover they’re not in compliance with some country’s regulations. Though rules vary from country to country, many require informed consent to access personal information.
This has led to enrolment processes that notify users about all possible MDM capabilities – whether employed or not. Customised “terms of service” then describe how the employer intends to manage the BYOD.
Employers must specify what information will be collected, what actions can be taken, and what workers must agree to in order to complete enrolment and gain access to business data and systems.
The ICO Guidelines
The UK Information Commissioner’s Office (ICO) recently published BYOD guidance for employers on how to comply with the UK Data Protection Act 1998. The ICO guidance cites data security as a prime concern for employers. Significantly, BYOD should not introduce vulnerabilities into existing secure environments.
Employers should consider the use of a sandbox or ring-fencing of data, e.g. by keeping data contained within a specific app. And if a device is lost, the data on it should be kept confidential, and retained via a backup facility.
In terms of data protection and security breach risks, the ICO guidance recommends companies consider the following:
· Which type of corporate data can be processed on personal devices?
· How to encrypt and secure access to corporate data
· How the corporate data should be stored on personal devices
· How and when corporate data should be deleted from personal devices
· How data should be transferred from a personal device to the company servers
The ICO also recommends:
· installing antivirus software on personal devices
· providing technical support to the employees on their personal devices when used for business purposes
· a “BYOD Acceptable Use Policy” providing guidance to users on how they can use their own devices to process personal data and corporate – but only process corporate personal data for corporate purposes.
· Companies must inform employees of the extent of monitoring, and ensure they’re satisfied that the monitoring is justified by real benefits and does not unnecessarily infringe on privacy
In terms of legal risk, losing employee or client data could result in a company breaching the UK Data Protection Act. This could leave the company vulnerable to legal claims brought by the employee or client in question, or a fine imposed by the ICO.
What the Government Also Says
As of September 2013, the UK government has issued security approval for public sector organisations to offer BYOD schemes for employees to access data and applications using their own smartphones and tablets.
The End User Devices Security and Configuration Guidance policy was issued by CESG, the information security arm of GCHQ. It follows numerous public bodies, such as local councils, in seeking to introduce BYOD schemes.
The guidance states that any mobile device must be returned to factory settings before it can be used to access government data. Also, the device must be able to be fully managed by the employing organisation throughout the life of its use for mobile working.
The policy also provides detailed advice for a wide range of possible products and operating systems. Devices using Android 4.2, BlackBerry 10.1, Apple iOS6, Windows 7 and 8, Windows Phone 8 and RT, Ubuntu 12.04, OS X 10.8 and Google ChromeOS 26 are all on the list.
CESG recommends 12 security controls that need to be considered, including:
· in-transit and at-rest data assurance
· secure boot
· application sandboxing
· whitelisting apps
· malicious code detection and prevention
· an incident response plan for security issues such as lost devices
Geo-fencing is the process of combining current location with BYOD policy. Disabling cameras on mobile devices when they are inside high-security areas would be an example.
Geo-fencing has been used in education, to enforce policies that prohibit taking pictures of students or require secure web browsing on campus. Similar measures have been put in force for retail environments.
Using GPS technology, geo-fencing can be applied in cases where it’s helpful to re-provision a device based on its location.
Other Real-world Applications
One way to restrict the flow of corporate data onto employee devices is to use technologies like Microsoft’s ActiveSync. Users can manage their mail, contacts and calendars without a direct connection to the corporate network.
Instead of allowing BYODs to access core network resources, employers can selectively publish enterprise data to new mobile apps. Users get the data they need, while the company ensures it can be accessed securely and wiped quickly and easily if necessary.
Selective wipe – deleting only corporate settings, data and apps – can protect business assets while leaving personal data and settings intact. Users must agree to give IT some control. For example, if a device goes missing, calling in first so that the phone can be wiped, before calling the provider.
Image: Michael Coghlan