Risks and rewards of allowing staff ‘to do their own thing’

A generation of employees that seems to assume using your own smartphone or tablet is a basic human right has ensured that BYOD, or “bring your own device”, cannot be ignored. Companies must realise though that while the benefits are beyond doubt, so too are the security risks.

For example, research by mobile device management (MDM) company Zenprise reported that 96 per cent of companies secured the devices, but not the data. So BYOD needs managing; like new technology – put the right controls in place and it should prove very productive.

One of the biggest risks is when everyone wants to play and has all of the sensitive data in their pocket. “Criteria need to be applied to how much of the company’s data really needs to be made available remotely,” says Paul Stonadge, head of enterprise mobility at Vodafone Business Services. “Those workers who require mobile access to sensitive data can be provided with enhanced security.”

Policies also need examining; companies need to think carefully about how the use of personal devices interacts with their governance, privacy, and security policies and procedures. “One answer is to implement MDM technology,” Mr Stonadge says. “This enables IT administrators to manage mobile devices remotely, and wipe sensitive company information should the device be lost or stolen. By doing this, companies can ensure that their corporate information is safe from the risk of data theft.”

This is important because the handset makers will, quite frankly, change them at will to make them more appealing. Jonathan Dale, director of Fiberlink, recalls a recent launch: “When [Apple’s] iOS 5 was released, users gained the ability to leverage iCloud, resulting in many concerns about corporate data leakage into Apple’s cloud storage.

“Only companies that implemented an MDM solution that provided immediate OS feature updates had the tools to block or allow iCloud. Unfortunately, many organisations were stuck waiting for their vendor to release a support update, leaving their data at risk.”

Criteria need to be applied to how much of the company’s data really needs to be made available remotely

Mobile applications can also be designed to control how much data is downloaded on to the device, versus how much is only available to view or process online, says Steve Levy, chief executive of mobile application framework developer Verivo Software. “Yes, BYOD raises security concerns and companies justifiably want to clamp down on corporate data sharing,” he says. “But in reality, critical information is most at risk when distributed via email or websites, as these can be forwarded or printed. By designing custom enterprise apps, using a mobility platform, companies can secure corporate data at the application level, giving employees secure access to data while preventing them from sharing the information with others.”

The security risk is very real. Between 2011 and 2012, almost a quarter of UK public sector organisations studied, detected unauthorised devices attached to the network – 22 per cent of local authorities and 29 per cent of central government departments, says back-up and recovery specialist Acronis, following a Freedom of Information Act question.

“No public sector organisation can afford to turn a blind eye,” says Alan Laing, the company’s vice president for Europe, the Middle East and Africa (EMEA). “They need to review the current practices they have in place for managing and protecting traditional devices, and then extend these to protect employee mobile devices. This is the only way to guarantee the safety of public sector data.”

This becomes a regulatory rather than good-practice matter. Back in the private sector, O2 has been piloting BYOD since 2012; as might be expected from a mobile phone network, the move has been popular and 60 per cent of staff have taken advantage of it.

David Plumb, O2’s general manager, enterprise, stresses the need for MDM, but adds there are other issues. “You need to decide what devices will play a part in your programme and set up systems that will allow them access,” he says. And any technical manager will confirm that ensuring corporate apps work with any given device is a non-trivial task.

“You also need to understand what your employees will be using the devices for. Some employees might need access to a wider range of corporate services than others, so a one-size-fits-all approach may not work,” says Mr Plumb.

Many people argue BYOD is actually simpler than putting technology in place. Si Kellow, chief security officer of Proact, takes a managerial view. “What our under-thanked security manager needs, before he or she starts to deploy technical controls, is a written policy that permits the use of ‘iStuff’,” he says. “This should also set out the corporate position on who is responsible for the upkeep and maintenance of iStuff, and whether any technical controls will need to be deployed in order for the user to make use of iStuff.”

It’s not surprising though that some still fight shy of BYOD. Stuart Lynn, chief information officer of software company Sage UK, is responsible for a 2,500-user network; inevitably BYOD has been raised and some of Mr Kellow’s issues have caused him difficulties.

“I’ve looked long and hard at BYOD, but have decided against a full-blown implementation at this stage as there are a number of hidden costs and challenges that many people don’t consider,” he says. “The influx of additional devices on the company’s network, particularly wi-fi, may cause the network performance to suffer and ultimately mean that you need to buy a new system.”

That’s before settling on a billing policy, asking the finance team to validate claims and continue to forecast cash flow. He adds: “Although BYOD is perceived as more of a challenge for smaller firms, if you consider the impact on companies with thousands of employees, like Sage, it can be a major headache.”