BYOD. What are the risks?

By Enabliser Howard

BYOD

The incidence of staff bringing their own laptops for work, instead of a work supplied computer is gaining leverage, tablets and smart phones too - logging into your business system.  Is this a good thing or not? This is for you to decide, however with sensitive information potentially exposed, there are security issues to consider, from misuse and corruption to loss of data, even industrial espionage.  Where you provide the hardware you should have control over security issues. Where you don’t, how do you control it?

With smartphones and tablets used anywhere from coffee shops, to hotels and home, as well as the office, and containing your corporate data, what security controls are appropriate for the level of risk?  Modern, with-it employees like to use their favourite devices, any time, anywhere.  High profile large companies have been embracing BYOD (Bring Your Own Device), smaller organisations feel the pressure too.

A recent article from the Institute of Chartered Accountants points out that there are issues of privacy law, data security law, data ownership and confidentiality which are affected. Organisations need to agree what is acceptable, and agreeing on this is best done in a collaborative approach. There is also the question of what happens with non-compliance.

Areas to consider in drawing up a strategy include, according to the Institute article:
1. Classify your data:
a. Low level, not confidential, no ramifications if hacked or made available.
b. Mid level, possible embarrassment or disruption or breach of privacy law if lost.
c. Critical data, major problems if lost, potentially breaching privacy or laws, involving customers and regulators.

This classification helps you assess what is suitable to use on BYOD devices.
2. Data Search. Where is your data kept, what systems, devices, backups and disaster recovery practices have you? What data do employees have access to?
3. Employee BYOD Map. How and where can employees, contractors, visitors access, copy and transmit your data?
4. Security policy. As well as the policy, your people need to understand and follow your policy, and understand  the importance of your data, confidentiality and privacy.
5. Implement technologies. As well as training, techniques should include:
a. Install security on all computers and mobile devices and keep it up to date
b. Install security software on smartphones and tablets, and which allows you to remotely clear your data if lost.
c. With virtualisation create a virtual safe zone in your hardware to isolate you from BYOD infections.
d. Require PINs and strong passwords to control access.
e. Prevent copying and accessing data remotely.
f. Require filters, encryption and other barriers for internet connected equipment.
g. Control use of Instant messaging, as a source of viruses and other malware.
h. Disable Bluetooth in public to prevent unauthorised access.
i. Beware of free Wi-Fi unless branded by the business you are visiting.
j. Include plug in USB memory sticks in security scans, an easy source of viruses.

You can enjoy the benefits of the connected age, but consider the impact of problems and protective measures which can be taken.

This article is for general, introductory information only. We recommend you make your own assessment and obtain advice from your IT provider about the risks and precautions appropriate for your specific circumstances.

Reference: “Don’t be caught out by the BYOB phenomenon,” Business & Technology Software Guide  2012, Institute of Chartered Accountants, Sydney

Add new comment