Bring Your Own Device
With the rapid increase in the use of mobile devices and the growth of remote and flexible working, employees expect to use their own laptops, phones and tablets at work.
Adopting a ‘Bring Your Own Device’ (BYOD) approach raises a number of security concerns, which must be managed to minimise the risk. Implement a BYOD policy, which addresses the following:
Think carefully about what business information and services you want staff to access using their own devices.
Design your network architecture to prevent any unauthorised devices from accessing sensitive business or personal information and ensure that authorised devices are only able to access the data and services you are willing to share.
Limit the information shared by devices
One of the advantages of BYOD adoption is that personally owned devices are ‘always connected’. However this does have associated risks.
Personally owned devices are designed to facilitate the easy (and often automatic) sharing of data, and device owners are used to sharing personal information with other users and in the cloud. Your BYOD policy should highlight the risks of sharing business data with unauthorised users.
Some devices automatically store a backup of the data on a device to a cloud-based account, or to the user’s PC. This is a risk that needs to be managed.
Encourage staff agreement
Communicate your BYOD policy through employee training and education. Ensure that your staff understand their responsibilities when using their own devices for business purposes.
Conduct regular audits of the business data stored on devices. When staff leave your organisation or replace their device, ensure all business data is removed and access to business systems is revoked.
Consider using technical controls
There are a range of technical services, such as Mobile Device Management (MDM), that can help you remotely secure, manage and support personally owned devices.
Container applications, where data is contained within a specific application, can help to:
- Protect against data loss. Where possible, provide staff with a ‘presentation’ of information on their device, rather than storing it locally. This minimises the data that can be easily accessed if the device is lost or stolen.
- Implement effective authentication. Staff should be made to authenticate themselves before being given access to business data. Since personally owned devices are more likely to be infected by malware, some authentication credentials could be compromised.
Anticipate increased device support
A successful BYOD approach could lead to services being accessed by many different types of device. This will increase your support demand in terms of keeping multiple operating systems patched and up to date and responding to security incidents across a variety of devices and operating systems. You will need to ensure you have sufficient IT support capability and expertise to manage a growing range of devices and device platforms.
Plan for security incidents
Mobile devices are lost, stolen and compromised every day. Should one of these events happen, it is important to have confidence that business data is protected. When an incident occurs you should:
- Act immediately to limit losses.
- Prevent the spread of any compromise.
- Learn lessons from the incident.
Plan for and rehearse incidents where a personally owned device that has access to sensitive business information is lost, stolen or compromised. Ensure you are able to revoke access to business information and services quickly, and understand how you will deal with any data remaining on the device. Consider using a remote wipe feature for business data.
Source of Information
Information taken from the National Cyber Security Centre website “A summary of the key security aspects for organisations considering a Bring Your Own Device approach”
Reproduced under the Open Government Licence.