Think twice before you bring your own device writes Tim Schraider, Director at CS Risk Management.
There has been a lot of recent talk about bring your own device (BYOD) and the way in which it can enable a business to work more effectively – but is this at the cost of efficient security?
Many companies in the UK are now looking into the possibility of adopting a bring your own device policy and the effect that this would have on the company’s operations. The positive side of this is that bring your own device allows for flexible working as the device can be used anywhere, with a potential cost saving to the company and increase in employee satisfaction. The concerns would be that there could be an increase in security controls as a secure environment may need to be created on the device or a secure connection to a central environment as well as remote data removal control. Security policies are also harder to enforce, for example acceptable usage would be difficult to enforce if this was both a work and home device, the lines of ownership may become blurred as the device is owned by the employee but the data on the device is owned by the company. Compliance with legislation and standards become harder or in some cases impossible to enforce, for example it would not be possible to create the secure environment required for PCI DSS while using BYOD.
When considering bring your own device the type of company, activities performed, customers and potential new customers should all be considered. In addition consideration should be given as to who the right person to make the decision is as potentially this would impact all areas of the business. The other area that should be contemplated is cost as this may be more complex than initially thought. If the devices are owned by the employees this will save the company money but the data that resides on those devices must be secured. There are potentially two options for this. The first is that access can be granted to a virtual session and applications can be used as part of the session as well as data stored on central drives. In addition this will allow for virus protection to be located on the central systems with no requirement for the end device to have virus protection. The second option is to secure the device; this would initially require the permission of the employee and then would mean considerations such as drive encryption, virus protection and access controls. It would also have to be agreed who purchased and owned the software for the device as it would be required for company use but would also benefit the employee.
Another area for consideration would be around loss of productivity due to device failure. With a standardised IT environment if a fault occurs with a device spares can be held and the device replaced. If an employee owned device failed then the onus would be on the employee to fix or replace the device using the standard consumer returns or replacement process which could take some time.
The other option for companies looking at bring your own device is to consider the cost of buying the equipment required, for example if an employee is using their own phone to pick up their email, there may be a legitimate business need for them to have a device to remotely receive email, in which case the company could purchase it. In addition the company could ask for employees input regarding the devices to standardise on, involving them in the debate and still achieving an increase in employee satisfaction but retaining the advantages of a standardised model.
In summary, when considering BYOD, companies must first establish the underlying business requirements and determine whether this can be met through providing IT solutions in a more traditional manner. If BYOD is found to be the only viable solution, companies must ensure that operational and security requirements are clearly understood and met by the chosen solution.
CS Risk Management is exhibiting at Infosecurity Europe 2013, the information security industry event on April 23 to 25, 2013 at Earl’s Court, London. The event provides a free education programme, and exhibitors showcasing new and emerging technologies. For further information – visit www.infosec.co.uk.
