Don't let BYOD bite - how to implement a successful 'Bring your own device' programme

Bring your own device (BYOD) refers to a culture and policy that allows employees to work with their own personal electronic devices instead of, or in addition to, the kit that is supplied to them by their employer. The prevalence of BYOD continues to rise as individuals increasingly own, and become attached to, their own high-end devices and operating systems – typically most people favour Apple or Android, rarely both.

Techopedia gives a very good explanation of BYOD describing it as the ‘consumerisation of IT, wherein employees are becoming increasingly integrated with their mobile devices’. Employees are now likely to use their own mobiles, tablets and laptops for work-related tasks - whether their employer supports it or not – so a BYOD policy and associated security and procedures which are all designed to control the use of such devices is becoming increasingly important in terms of mitigating BYOD's risks.

BYOD certainly alters an organisation’s threat landscape and many would argue that it is an inherently riskier way of operating. Of more than 500 SMEs polled in the UK, 61% said they had experienced a cyber-security incident since introducing a BYOD policy, according to a study by SME card payment services firm Paymentsense. However, organisations that embrace BYOD are recognising many benefits with increased productivity being at the forefront.

One might think allowing employees to use their own devices would prove distracting, but there’s a growing body of evidence that the practice actually boosts productivity and makes employees happier.

For example, in a Frost & Sullivan study sponsored by Samsung, respondents reported that as a result of using smartphones to get work done, they gained nearly an hour (58 minutes) of work time each day and nearly an hour (58 minutes) of personal time each day on average, and saw an estimated productivity increase of a whopping 34 percent. Additionally, a Cisco study found that workers believe they can more easily balance their professional and personal lives when they can use their own devices for work. There are numerous reasons for this which include:

• Familiarity with a device that the user has chosen themselves and the consequential decreased learning curve for applications;
• A personal device is a genuinely personal item rather than being ‘attached’ to work, so offers the benefit of more personalisation options such as pictures of a child or a pet on the screensaver;
• The greater flexibility that a BYOD device offers means that employees can work anytime, anywhere and, as a result, are more likely to be more productive by picking things up out of standard working hours.

There is no doubt that BYOD is already present and it is not going away at any time in the near future. – The BYOD and global enterprise mobility market is estimated to reach $73.3bn by 2021.

Realistically, there are three approaches that organisations tend to take in relation BYOD:

• Tolerate it in an unmanaged way;
• Attempt to clamp down and eradicate it;
• Provide a managed programme within the organisation.

Option one is downright foolhardy, option two is wholly unrealistic and that leaves option three as the only sensible approach. Organisations should undertake a comprehensive risk assessment to inform any decision on information security strategies. A managed BYOD programme is the only way to achieve a realistic compromise between a positive user experience and the information security that an organisation needs. Providing a managed approach is not without its challenges which include supporting a heterogeneous device environment and adapting the associated IT infrastructure to fit, alongside educating employees about acceptable use policies.

A recent article by Bitglass CTO Anurag Kahol states a number of statistics that show that organisations are still not succeeding in securing data in BYOD environments:

• One in five organisations lacks visibility into basic, native mobile apps on personal devices;
• Only 56% of companies employ key functionality like remote wipe for removing sensitive data from endpoints;
• 43% of organisations don’t know if any BYOD or managed devices downloaded malware, indicating a significant lack of visibility;
• 24% of organisations don’t secure email on BYOD at all.

Additionally, when implementing BYOD, it is essential that organisations add proper security controls concurrently – not weeks, months, or years after the fact.

From a data protection perspective, the ICO’s guidance highlights that bring your own device raises a number of data protection concerns due to the fact that the device is owned by the user rather than the data controller:

• It is crucial that the data controller ensures that all processing for personal data which is under his control remains in compliance with the data protection laws;
• Protecting data in the event of loss or theft of the device will need to be considered but not to the exclusion of other risks;
• Data controllers must also remain mindful of the personal usage of such devices and technical and organisations used to protect personal data must remain proportionate to and justified by real benefits that will be delivered.

It is also important to consider the seventh data processing principle which says that: appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data. These must take the form of mitigating controls.

Anurag Kahol’s article contains a useful list of technical controls for a BYOD environment and concludes that BYOD can be fully secured if companies leverage the proper tools:

• Single sign-on (SSO): The absolute minimum requirement for basic identity and access management (IAM) in cloud and BYOD environments. SSO serves as a single entry point which securely authenticates users across all of an enterprise’s cloud applications.
• Multi-factor authentication: A tool that requires a second method of identity verification before employees or other users are allowed to access resources. For example, after inputting their passwords, users may be prompted to verify their identities through an SMS token sent via email or text, Google Authenticator, or a hardware token that they carry physically.
• User and entity behaviour analytics (UEBA): Analytics that provide a baseline for normal user activity and detect anomalous behaviour and actions in real time, allowing IT departments to respond accordingly and automatically.
• Data loss prevention (DLP): Various tools capable of allowing, blocking or providing intermediate levels of data access; for example, through redaction, digital rights management (DRM), and more.
• Selective data wipe: This allows administrators to wipe all corporate data from a device without affecting personal data; for example, photos, contacts, calendar events, emails, text messages, and other items.

The starting point for any organisation addressing the BYOD challenge must be a well-crafted policy that is easily understood by employees of all computer literacy levels. This, alongside appropriate education and acceptable use guidelines should give them a clear of idea of what they can and cannot do.  The policy should include a list of permitted devices, the associated security policy, clear guidelines about data ownership, protection and confidentiality, required, permitted or prohibited apps and details about decommissioning the device.

BYOD is here to stay and employees will continue to expect to bring more and more personal gadgets into the workplace as the relentless march of technology continues.

The starting point must be to create a comprehensive BYOD policy, associated procedures and to communicate it clearly through awareness and training. This is the only way that a modern organisation can satisfy the demands of its employees, secure its information, protect its reputation and meet the much more rigorous demands of the new 21st century data protection laws.