A recent survey revealed that almost half of UK employees use their personal devices (laptops, smartphones and tablet computers) for business use. Employees personal devices are often more powerful and easier to use than what the company assigns them and they expect the freedom to use their device for work purposes. Rather than fight the inevitable most companies are allowing their employees to use their devices, however many companies are doing so without providing the necessary guidance on how these devices should be appropriately used in this capacity. This should be of great concern as the information being accessed on these personal devices, if not done in the correct manner, is a potential security risk.
The benefits and risks involved with BYOD
A well run BYOD policy has the potential of being highly beneficial to a company. The benefits include:
- Increased flexibility through working remotely
- Increased efficiency
- Improved employee job satisfaction
The risks involved are unique to each organisation. A major risk felt by all companies is the reduced control the company has over the personal devices. As it is an employee’s personal device the employee owns it, maintains it and would support the device. The company however is still held responsible for the corporate data on the device and will be liable if a security breech were to occur regardless of who owns the device. Therefore it is of utmost importance to ensure that you as a company have procedures in place to ensure that the data on these devices is secure at all times. The lack of control increases significantly given that the company would not only have one but would have large numbers of these devices to consider.
In order to gain control over the data being accessed, processed or stored on these devices the company should access the following:
- What type of data is held or processed on the device
- Where will the data be stored
- How will the data be transferred
- How to keep personal and corporate use of the device separate
- What is the potential for data to be compromised
- The available security features built in to the device
- How to support and monitor the device
- How to deal with loss or theft of the device
- What to do, with regards to the data, when the owner of the device no longer works at the company
By considering the risk areas mentioned above, procedures can be put in place to ensure appropriate management of these risks. With a clear understanding of the risks involved from the start the company can ensure that data security is at the core of its undertakings increasing its standards of security extensively.
Steps to a secure BYOD environment
- Audit the data
Look at the types of data being processed on the devices. Consider which data you’d allow to be processed on a personal device and perhaps data you’d keep in a different environment. Information could possibly be sorted and separated by allowing certain information to be processed on personal devices and other information be restricted to devices with high levels of encryption. Knowing what data is being processed on which devices, allows for increased levels of control.
- Audit the devices
Consider all the types of personal devices used by the employees. Look at their security features and consider which devices can be used to process which information.
- Make sure that BYOD policy does not impact existing agreements
The company must take into consideration existing agreements with other organisations and whether BYOD would infringe on these agreements. The company needs to make sure that BYOD does not introduce weaknesses into secure existing environments
- BYOD policy
The company must implement, maintain and manage a BYOD use policy. The policy should be clear so that employees understand what is acceptable and understand their responsibilities with regards to using their personal device for business purpose. The policy should provide guidance and accountability of behaviour.
- Storage of data
The appropriate measures need to be in place to ensure stored data is secure at all times, no matter where it is stored, be it on the device in the cloud or on a server within the organisation. The ultimate responsibility lies with the company to safeguard the data form unauthorised or unlawful access. Measures that can be taken include:
- Controlling access to the data on the device through use of a strong password or PIN
- Controlling access to data stored in other locations via the device. Securing the access credentials is paramount.
- Devices may have the feature to restrict access to certain apps or data types based on geographic location
- If data is stored on a device it’s important to have a remote wipe method in place to enable secure deletion of data if at any point the device becomes compromised, thereby maintaining the security of your data.
- Be aware of the storage media on the device, so that the loss or theft of data does not go unnoticed
- Encrypt the data stored on the device
- If an incorrect password is entered many times make sure the device locks automatically to avoid unauthorised access
- Make sure there is clarity and separation on the information or apps being used for business and those for personal use, so that personal and business data does not blur.
- Ensure the device has an active auto lock function, locking it when inactive for a certain period of time
- Transfer of data
Transferring of data always involves security risks. BYOD will always involve transferring of data between the device and the corporate network. Emails can be intercepted and the data compromised. Ways to secure your data during transfer include:
- Forcing traffic through and encrypted channel
- Encrypt emails at the source, they remain encrypted in transfer and remain encrypted until decrypted by the authorised recipient
- Use monitoring technology that monitors the data transferred and identifies any data leakage during transfer
- When using removable media to transfer data ensure that you have an appropriate safe and secure procedure in place for the deletion on the data from the media once its transferred
- Avoid using public-cloud sharing and public backup services if you can
- Have a policy in place regarding devices that automatically backup to a personal computer or user cloud account. You need to ensure that the data stored in this way does not get disclosed inappropriately. Or you need to ensure that this function in not enabled on the device
- Be cautious when using open Wi-Fi networks. Be aware that some devices when automatically connect to these networks. Consider when it is best to disable interfaces such as Wi-Fi or Bluetooth on the device.
- Maintaining control of the device
The company has minimal control over the device. Given that it is personally owned and remotely used a lot of the time the risk of it being misplaced, lost or stolen is greater. To maintain some control the following should be considered:
- Mobile device management is an excellent way to remotely locate and delete data on demand when needed
- The devices would need to be registered with the service
- The devices can be tracked in real time
- Securing the device
Steps you can take to secure the device
- Keep the device operating system working at its best at all times through ensuring necessary patches and updates are fulfilled
- Consider restricting the choice of operating systems to be used by employees, by achieving this you have more control, ensuring the OS is always up to date with fewer potential vulnerabilities
- Limit the choice of devices to those that you have assessed as providing the best level of security for the data being processed by the company
- Consider who is authorised to install apps on the device and where the apps can be sourced from. Make a decision on which apps are allowed and others that may be prohibited. Offer guidance to employees regarding the risks of downloading unverified apps
- A procedure must be in place to manage the data on the device if the device was to be sold or breaks and needs to be returned for a replacement.
As companies transition to a BYOD environment, major adjustments need to be made along the way. Rather than managing a predictable set of devices and configurations the company is faced with a multifaceted landscape of many different devices running various operating systems.
The benefits of smartphones and tablet devices are immense, common daily tasks such as emailing, document editing and storing of information, previously carried out on the desktop PC within in the office can now be handled remotely.
However the security risk and lack of control over these devices is prevalent. Companies need to ensure that the correct security measures are in place to prevent corporate data from being accidently or deliberately compromised.
For companies to acquire the bountiful benefits of BYOD policy, the policy needs to be built with all the risks in mind and once in place should be effectively maintained and managed.