A New Year ‘BYOD hangover’ for employers?

Researchers have released news this week of a zero day attack on the Samsung Smart 3D LED TV. Whilst wondering how many of these will be unwrapped and installed over the Christmas holiday period that may be susceptible to this form of attack, my thoughts turned to information security professionals.  They must surely be wondering what brand of new gadgets employees will bring into the organisation when they return to work in the New Year.

Research has shown that employees (especially young members of staff), will use their own devices (BYOD) as well as cloud services such as dropbox. This is despite the fact that the organisation they work for may have policies banning such activities.

Every organisation should be considering policies for the use of BYOD within its environment. Businesses need to bear in mind that restrictive polices often fail from the senior level downwards and if employees feel the policies interfere with doing their job. Often they can’t see the implication of their actions on the security and governance of their employer’s business and are likely to continue with unsanctioned behaviour as they try to meet deadlines.

Organisations need to have well thought-out policies and procedures in place for implementing them. Employees need to be informed of, and frequently refreshed, about the policies and implications to the organisation of breeches to information security as part of a continual information security education programme.

Policies on the use of BYOD should outline the privacy issues affecting both the owner of the equipment and the employer, covering what the employee can expect from connecting their device to the corporate systems. The BYOD policy should by all means cover encryption and determine what happens when a device is lost or upgraded. Requirements for notifying the IT department about such circumstances need to be included and the possibility needs to be considered if it is not possible to wipe the corporate data only then the whole device could be wiped losing all data for the employee.

The employee would need to agree to the policy before being able to use their own devices. There is often an advantage of allowing employees to use their own devices in terms of improved productivity and reduced expenditure. However there are costs and negative implications to both the employee and the employer.

Topics to be covered by a policy include:

  • Device Selection
  • Encryption
  • Authentication
  • Remote Wipe Capabilities
  • Incident Management
  • Control Third-Party Apps
  • Network Access Controls
  • Intrusion Prevention / Detection Software (IPS/IDS)
  • Anti-Virus – AV
  • Connectivity (Bluetooth/Wi-Fi mobile hotspot)

It is not possible for an organisation to be able to support all devices on the market; therefore it may be necessary to limit allowed devices to a subset of those available. Selection of those devices will be a contested decision.  Some employees will be complaining if their favourite brands, (e.g. Apple vs Samsung) or operating system (e.g. Windows® vs Android), are not included. Organisations need to take this into consideration when developing their BYOD policy and not be too restrictive. Finally, ensuring the list is circulated to employees and reviewing the supported devices on a regularly basis will help alleviate device selection problems.

There are a large number of technical security solutions that are available.  It is essential that the selected solution supports the organisation’s aims and mission.  Within the selection process, as with the policy generation, it may be necessary to seek expert opinion.

There is no reason why the use of BYOD within the organisation cannot be allowed, giving greater flexibility to employees with improved productivity in a controlled environment that will protect the organisation. This is far better than having employees using their own devices in an uncontrolled manner, possibly leaving an organisation vulnerable to a problem they are not aware of. Having a policy that supports employees makes it easier to have sanctions for those who do not comply. No policy allows a situation where there is no control and a restrictive policy will often force employees to use their devices on the quiet.

For professional advice on information security, staff awareness training and encryption contact IT Governance on 0845 070 1750 or by email to servicecentre@itgovernance.co.uk.