BYOD – The Good, the Bad and the Ugly
BYOD (Bring Your Own Device) is a term used to describe employees who take their own portable device (e.g. iPhones, iPads and laptops) to the workplace with the intention of accessing firm resources to carry out their everyday jobs. The concept also extends to users who use their own devices for work purposes while out and about.
BYOD is a growing trend. It is being talked about at all levels inside and out of the organization, including up to board level. It’s a hot topic, one which many organizations are embracing and others are not. If you’re sitting on the fence and not sure which direction to take, you should be aware that there are many aspects to consider.
This article will highlight some of the pros and cons from a business perspective, as well as the security considerations that this trend brings.
First, let’s look at some of the benefits of BYOD. These include:
The idea behind BYOD is that employees can access organizational data anytime, anywhere, from their own personal device, which naturally encourages increased productivity. If you have access to work e-mails for example, there is always going to be that temptation to “see what’s new” or “just answer this one e-mail” every now and then.
Rather than having to carry around two devices (the employee’s own personal device and a firm owned device) employees are able to use their own device to carry out both functions.
In such a competitive market, it’s sometimes not only the pay packet that counts, but the little perks and privileges that attract the best talent and make them want to stay. Promoting the fact that your organization has embraced BYOD only adds to its appeal for prospective employees.
Rather than the organization paying for an additional device and a service contract, they can shift the cost to the user. Organizations might choose to pay nothing, only pay for the service contract, or perhaps provide an allowance to employees who wish to use their personal device for work purposes. Whatever you choose, aim for a simplified cost model. Trying to differentiate between personal and business usage for costing purposes can be a nightmare.
Despite the benefits, there are some things to consider, as emphasized below.
Firstly, nothing new should be implemented into the organization without a formal risk assessment. A risk assessment should be carried out to:
1. Identify the associated BYOD risks that are applicable to your organization
2. Help you to draw up a mitigation strategy for any identified risks
3. Decide if the identified risks are something you are willing to accept
A risk assessment should pinpoint areas within the environment that need to be looked at when adopting BYOD. Some things to consider are:
1. Which software are you going to use?
From a security perspective, implementation of the right software at both the server level and end user device level are highly important.
2. Which resources are you going to allow access to?
Are you only going to allow calendar, contacts and e-mail access? Will employees be able to access the client database?
3. Will you segregate ‘mobile access’ data?
Ideally, once you have classified the types of data you are going to allow mobile access to, you will then segregate that data from the rest of the firm’s resources, limiting unnecessary exposure. Hand in hand with this is the need to decide how to serve that data. Will it be available only via a secure page? Do you have an in-house or third party application that will allow access?
4. How will you deliver ‘mobile access’ data?
As I alluded to earlier, choosing the right data delivery method is critical. Whichever solution you choose, you will want it to contain encryption at the device, server and data transport level. Some solutions allow you to install an application on the iPhone or iPad which acts as a secure, encrypted, container for accessing firm data. Users would authenticate, and data would be transferred to and from the firm’s resources and viewed within the secure container.
5. Who does liability fall with?
Another, often forgotten, aspect to consider is liability. If users are using their own device for work purposes and something happens to that device, who is liable for the cost of repairing or replacing it?
6. If a device is lost, how do you ensure the protection of company data on the device?
Some organizations have a mitigation strategy in place that allows them to trigger a remote wipe of the device as soon as they receive word of it being lost. However, remote wipe functionality is only good if the device still has battery power and signal. If someone were to obtain the device and remove the SIM card or put the device into “Aeroplane Mode”, then this feature is pretty much useless.
7. Which devices will you support?
One of the biggest BYOD security problems is that it is impossible for IT to have an understanding of each and every mobile device and mobile platform available on the market today. This means managing the installation and updating of AV on the mobile devices becomes difficult, as does support for all these devices.
8. Employee acceptance of data ownership and usage policy
Even if, as an organization, you decide to embrace BYOD, your users may not. Because the organization owns the data that resides on the device, it will want to enforce some control over its use and protection. A lot of users will not feel comfortable with the organization analyzing their phone if they leave the firm, or performing a remote wipe of the device if it is lost or stolen. It is important to have clearly defined security policies and usage guidelines that outline the firm’s expectations. Cover yourself legally by ensuring that employees read, understand and sign these documents.
9. Are we going to control which devices can connect to the network?
BYOD shouldn’t just be a “free for all”. There needs to be a device specific control in place that ensures only known devices are allowed to connect to the network.
As such, there really isn’t an all-in-one BYOD security strategy. The best approach would be to use a combination of several security factors to help reduce risk.
All things considered, it will come down to trying to balance productivity and security. Are you comfortable with the security risks involved when adopting the BYOD model versus the potential increase in productivity across the firm? Do the productivity gains outweigh the security risks? Are you going to get a return on investment (ROI) if you implement BYOD across the firm, or will the cost of dealing with a security incident offset the benefits? What controls do you have in place if a security leakage or data loss incident had to occur? What data are you allowing access to, and who are you allowing to access it? Will your BYOD model comply with existing industry regulations for data protection?
These are all questions you need to think about when deciding whether to jump on the BYOD bandwagon. With the right security measures in place, it is only a case of questioning whether you are willing to accept the additional risk, and then getting sign off from the right people!
Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!