Managing risk of own devices

The advantages of allowing staff to use their own technology at work could outweigh security implications, as Jonathan Weinberg reports

A decade ago, IT departments were wrestling with the dilemma of preventing access to restricted websites during office hours. Fast forward ten years and the much-embraced policy of Bring Your Own Device (BYOD) presents a new sort of headache.

It had been feared sensitive data would be put at risk through BYOD if employees’ personal smartphones, tablets and laptops were used for work purposes. But with many of these worries overcome, it is now wearable technology such as Google Glass and smartwatches that are presenting new challenges.

These internet-connected devices capture real-time images and video or send and receive corporate data, often without any sign of being used.

Richard Allgate, of InTechnology Managed Services, believes they could lead to mobile policies having to be torn up and rewritten. He explains: “As most wearable tech is paired with a smartphone, IT managers need to consider if it’s possible to remotely wipe wristbands and other wearables if someone loses them.

Since these devices are more likely to get lost, the IT department needs to have some way to extract data. What about the devices that can work on wi-fi? IT needs to ask itself what information will they hold and will they need to provide a separate form of device management and security.”

Sarah Burke, an employment solicitor at Thomas Eggar, agrees. She foresees a range of issues, among them smartwatches, causing employees to be connected to e-mails for even longer, which could breach working time regulations.

She adds: “Employees will be able to record information about the business and the people they work with far too easily. In addition to this, employers are unlikely to know when information is being recorded, making it almost impossible to control the risks. Employers should, therefore, ensure they pre-empt the risks and put in place a specific policy to cover the use of wearable technology at work.”

BYOD has brought a wide range of benefits to companies and organisations, big and small, such as cost-savings and increased productivity.

If firms fail to protect their employees’ devices, they risk incurring increasing disclosure and financial penalties, not to mention falling victim to cyber attack

Ollie Ross, head of research at the Corporate IT Forum, says it can cause a 40 per cent productivity increase and is especially important for Generation Y or Millennials, born between the early-1980s and early-2000s, who are more engaged by using the latest tech.

And user-orientated IT solutions company LANDesk found it could save companies £150,000 over five years as employees purchase their own devices.

But Dave Bailey, chief technical officer of cyber security at BAE Systems Applied Intelligence, warns: “BYOD policies improve flexible working and allow businesses to be more agile. However, if firms fail to protect their employees’ devices, they risk incurring increasing disclosure and financial penalties, not to mention the likelihood of falling victim to cyber attack.”

Such risks can prove costly. Check Point’s second global mobile security report suggested eight out of ten companies had been subject to a mobile security incident in the past 12 months. Four out of ten respondents faced remediation costing more than $100,000, while for one in seven this was more than $500,000.

Derek Skinner, regional director of investigations, Europe, the Middle East and Africa, at Absolute Software, says he has known of devices stolen in the UK or United States ending up in Vietnam or Mongolia.

He adds: “With any stolen device, the risk is uncontrolled access to the sensitive corporate files and e-mails stored within it or even on the company’s servers. This kind of data breach can result in some serious penalties for the business. The Information Commissioner’s Office can fine firms up to £500,000 for a data breach and there are calls to raise this number even higher.”

Research from Robert Half Technology revealed that some 50 per cent of chief information officers (CIOs) see security of BYOD as the biggest challenge, but 37 per cent concede it has improved employee retention and satisfaction.

One potential solution could be so-called “containerisation” alongside a policy of Choose Your Own Device (CYOD) from a specified list of secure and IT-managed products.

Jonathan Foulkes, vice president of mobile product management at Kaseya, says: “Containerisation is uniquely suited to BYOD because it segregates enterprise and personal assets in the device.

With a containerised approach, IT establishes and manages encrypted, policy-enforced ‘containers’ in each personal device that give controlled access to e-mail, documents and applications. Enterprise data is encrypted at rest and in flight, and if a device is lost or stolen, IT can wipe the containers without disturbing personal assets.

There is no enterprise need for users to set device-level security, as only their personal data is at risk should they choose to leave their devices unprotected.”

He adds it can also help shield internal networks from attacks and malware as only the secure containers connect to the enterprise network.

Future aspects of containerisation could see companies create their own internal app stores for devices to use or develop their own application programming interfaces and cloud-based services to share data off-device via the cloud.

Jean-Claude Bellando, director of marketing solutions at Axway, believes the previously traditional path of desktop virtualisation is now just one of many options.

He says: “While desktop virtualisation has previously been the solution of choice for BYOD policies, the 21st century has brought with it many alternatives. Employees not only want to access their workload from the comfort of their own home, but also the comfort of their own device.

However, when deploying a virtualised desktop solution, it is difficult to prevent data from moving from the virtual environment to an unprotected one.”

Another less talked about risk of BYOD is known as Bring Your Own Network (BYON).

This is where employees use their mobile phone to tether it to another device and share internet connectivity. This turns it into a personal hotspot.

Nathan Pearce, security and cloud expert for F5 Networks, explains: “This means they can, in some cases, bypass the corporate network security rules and access websites, apps and other services that are otherwise banned by IT.”

He believes this should be countered by focusing less on the device level and more at a network level, controlling who can access corporate data, what they can access and where they can access it from.

But for London’s Camden Council, BYOD has been a success. The organisation is embracing the policy in partnership with enterprise mobility management leader MobileIron. It first rolled out a programme three years ago and the council’s CIO John Jackson believes the benefits far outweigh the risks. Its system supports a range of devices and operating systems, including Android, iPads, laptops, desktops and Windows-based tablets or phones.

He says: “There comes a time when, if you don’t introduce BYOD within the workplace, you are going to be faced with disgruntled employees and miss an opportunity to improve productivity, adopt innovative working practices and save money. There have been concerns that personal devices will lead to data leaks and malware. By building a robust, private cloud and monitoring infrastructure we avoid this.”

Mr Jackson feels BYOD is encouraging a working “revolution”, replacing traditional desk and office-based working, which is no longer sustainable. Local authorities, he says, are being encouraged by government to offer solutions that enable flexible working.

Employees want new ways of working, and to use the devices they know and love within the workplace to get their jobs done more efficiently. It’s that simple,” he says. “However, it needs to be done right, especially in terms of security. Devices need to be secure and locked down, and a policy needs to be implemented which employees are aware of.

BYOD is here to stay. No longer can we turn a blind eye and ignore it. We need to embrace the consumerism of IT, rather than attempt to stifle it.”