Does BYOD Present Security Issues?

BYOD

The BYOD model is becoming increasingly prevalent, as employers and employees alike embrace the smartphone boom. Now productivity can be increased as employees can have constant access to their company’s online services.

However, with this ease of access come security risks that are worth considering. If you have, or are intending, to adopt BYOD solutions in your business it’s important to be aware of the effect, both positive and negative, that it could have on your business.

One of the major problems in the BYOD market is the lack of enhanced mobile security in communications between devices. At the moment, many BYOD enabled networks use the built-in security measures that employee’s smartphones come with. This could be a potential security vulnerability that could be exploited.

Another challenge for the BYOD market is the difficulty for businesses in tracking deployed assets. This is because once a mobile device is deployed in an organisation, tracking it becomes increasingly difficult, even with the implementation of BYOD security solutions. Both of the above areas have been considered in more depth in a market report by Infinity Research that found several security vulnerabilities in the BYOD model.

Security vulnerabilities

The report stated that one of the major drivers in the BYOD market is the need for enhanced mobile communication security. Most businesses are not properly safeguarding online networks and proper mobile device management (MDM) is paramount. Using MDM enterprise software allows an organisation to better protect and control data and configuration amongst mobile devices within an organisational network.

“The growing globalisation of organisations has led to an increased need for enterprise mobility,” the report states. “Enterprise mobility helps organisations exchange data and information without any time and location constraints. Hence, organisations have been increasingly adopting BYOD policies to implement enterprise mobility.”

Many organisations have been discouraged from adopting BYOD methods, as there is difficulty in ensuring the safety of all the deployed assets. This discouragement has influenced the saturation of BYOD policies and the security concerns have reduced the effectiveness of a BYOD security setup.

“With the implementation of a BYOD policy, employees can use their personal devices to handle their organisations data,” the report continued. “This increases the need for BYOD security solutions as such solutions provide data security and enable better handling of data.”

Implementing BYOD

The marketing report conducted by Infinity Research is the latest in a long line of reports documenting the difficulty of successfully implementing a BYOD program. There are clear benefits in terms of increased productivity when it comes to BYOD programs, however, with the security questions unanswered there is still some way to go before this model becomes universally adopted.

The current policies in place in many businesses are out of date and sync with the current way that data is shared and accessed. Many organisations are putting sensitive organisational and employee data at risk and the BYOD initiatives value for many organisations is currently mediocre at best. This is according to a survey conducted by Teksystems of more than 1,500 IT leaders and 2,000 IT professionals.

More than half of IT leaders and upwards of 65% of IT professionals reported that their employers fall within one of three categories regarding their BYOD policies: either “nothing has been communicated,” “there are no official policy guidelines,” or “employees are not allowed to use their own devices at work.”

One billion smart phones

Current predictions suggest that by 2018 the number of employee-owned smart phones and tablets used in the enterprise will exceed 1 billion. The growing trend towards BYOD policies is redefining business connectivity according to a report by analytics firm Juniper Research.

Ownership

Although the BYOD market is growing and has huge potential for businesses, it must be adopted and applied correctly. A current problem that businesses are facing is that of ownership. One of the main characteristics of BYOD is also one of the main detractors from this model: the employee owns and to some extent maintains and supports the device. Due to this, the company will have much less control over the device compared to a device that’s owned by the company.

An employer needs to address this BYOD issue before enabling employees to bring their own devices to work. There are other potential problems for an employee to keep an eye out for including:

·         Ensuring that work data does not merge with an employees personal data

·         Making sure that non-employees, such as family members who may use the device, don’t access work data

·         The employer should have a plan in place in the event of an employee resigning or being fired

Identify security risks

A business intending to implement a BYOD solution must identify key business objectives and benefits, as well as developing account security, and audit and data requirements. Any team developing BYOD policies should be multi-disciplinary and the policies created must be coordinated between IT, human resources, and legal departments.

The UK Information Commissioner’s Office (ICO) provided a BYOD guide for employers setting out how to ensure that an organisation’s policies are in line with the UK Data Protection Act of 1998. If a business considers data protection risks at the outset, the organisation can embed data protection as one of its core values and in turn raise overall data protection and security standards.

The guidance provided by ICO has as a central tenet the importance of a clear BYOD policy. This ensures that employees that connect devices to the company IT systems are clearly aware of their responsibilities. A successful BYOD implementation can lead to a better separation of data. An organisation should also conduct an audit on the types of personal data that can be accessed from an organisation’s online infrastructure and the audit should also include what devices can be used.

Organisational networks at risk

It’s important to remember that an organisation that doesn’t implement BYOD policies successfully can put networks at risk that were otherwise secure. The ICO guidelines state that data security is of optimum importance and far outweighs any potential increase in employee productivity.

It’s possible for employers to use a sandbox or ring-fencing approach to data security. This means that data is kept contained within a specific app and it also ensures that, if the device is lost, the data that is kept on it remains confidential and retained via a backup facility.

It’s really important that a company ensures good safeguarding of its data to protect itself from legal action. If a company loses employee or client data, that company runs the risk of breaching the UK Data Protection Act which can leave an organisation vulnerable to legal claims brought by the client or employee in question and this can lead to a fine being by imposed on the company by ICO.

ICO recommends some guidelines to help an organisation avoid potential data protection and security breaches.

Consider the following:

·         Which type of corporate data can be processed on personal devices

·         How to encrypt and secure access to the corporate data

·         How the corporate data should be stored on the personal devices

·         How and when the corporate data should be deleted from the personal devices

·         How the data should be transferred from the personal device to the company servers

ICO also recommends that businesses implementing BYOD practices should install antivirus software on personal devices, provide technical support to the employees on their personal devices when they are used for business purposes, and have in place a “BYOD Acceptable Use Policy” that provides guidance to users on how they can use their own devices to process corporate and personal data. Employees should also be made aware that they can only process corporate personal data for corporate purposes.

Good monitoring practices

An organisation can alleviate some of the risks associated with BYOD practices by employing good monitoring practices. This monitoring could include recording the geo-location of employee’s personal devices, or companies can monitor the internet traffic on the personal devices. However companies must inform employees of the extent of its monitoring practices and ensure that employees are satisfied that the monitoring is justified by the real benefits and doesn’t infringe on privacy unnecessarily.

As the use of personal devices in the work place rises, so does the risk of company data being lost or stolen. Organisations must consider these risks and ensure that legal and data protection security measures are in place. Businesses need to think carefully about BYOD and implement appropriate policies and processes to tackle these issues and minimise the risks associated with BYOD.

The organisation is ultimately responsible for the security of company data and data protection requirements regardless of the ownership of the device. Businesses need to act responsibly to ensure the best application of BYOD policies.

A successful BYOD scheme can really boost productivity and streamline business processes, so it’s definitely something worth considering. With cloud services becoming increasingly used in businesses of all sizes, it can mean that employees can work from any location, even out in the field. However, a good MDM and sound policies are necessary to facilitate this, or a business runs the risk of exposing sensitive data and essentially, itself to hefty fines.