Bring Your Own Device (BYOD) – Friend or Foe?
The workplace is an ever-evolving technological rollercoaster, a whole host of devices at your fingertips, or voice activated, even artificial intelligence if that doesn’t make you run for the hills
Dated: 14 February 2019 Author: Allan Maund, Head of Compliance & Risk
Rewind to the 1980’s and mobile phones, the size of a breezeblock and only used for making and receiving calls. One thing has changed, you probably had more chance of getting a signal, but that’s another story.
Fast forward to the mobile phone of 2019 and we have a different beast altogether. Mobile phones have the operating speed and storage capacity of a laptop, some devices even quicker. Try explaining that less data capacity was used in the ‘computer’ to help put the first spacecraft on the moon, than is available on most current ‘smart-phones’ and you get looked at as though you’re the alien.
Mobile phones and associated devices have transformed our working practices. They’ve opened the gateway to a whole new world. We’re now almost completely reliant on IT devices for most elements of our lives. From the business perspective, there is almost a complete reliance on IT. Coupled with the reliance on IT, we have mountains of data. But it’s OK, the data is in the ‘cloud’.
Will legislation protect us?
But fear not, the legislators, not always known for their responsiveness to potential threat, introduced laws over the decades to protect us and our data. As an example, we’ve experienced the Computer Misuse Act, the Data Protection Act and most recently GDPR. Business responded how business does, consequently introducing or amending their policies and procedures. Others hired an army of consultants who talk about ‘blue sky thinking’, ‘helicopter views’ and other corporate ‘talk’.
But, what about employees own devices?
With business embracing technology, safeguarding our data, protecting the customer, only keeping data for as long as required, has the gate been left open to the cyber-criminal when it comes to our employees using their own devices?
IT typically undertakes stringent security testing and product requirements before introducing hardware devices used in the business environment. As employees and outside of the IT department, we take this for granted. What we do forget is that all the IT ‘magic’ continues in the background after we’ve been issued our hardware. The ‘magic’ should prevent the cyber criminals getting their mitts on that all-important access to our servers, networks and that plethora of data.
What you need to consider with BYOD
Some business allows employees to embrace BYOD, this isn’t necessarily a bad thing. However, from a negative perspective, employees can access both their own and their employer’s data on a multitude of unprotected insecure devices. As a reminder, these devices are used to access your business’s data and as an employer you have minimal or zero control over them or the user. What could possibly go wrong? Potentially plenty, and the impact on your business could be significant.
The security settings of the employee’s own device typically fall short of those devices issued by the employer. Where the employee’s device hasn’t got protection from malware or other cybersecurity risks that the business ordinarily relies upon with its own hardware, then your business has potentially a very big risk. Some in the IT industry refer to BYOD as BYOM, Bring Your Own Malware. Harsh, but reflective of the risk. As a reminder, malware is any software intentionally designed to cause damage to a computer, server, client, or computer network.
BYOD users sometime unwittingly expose their business to the risk of data loss or leakage. An employee, or consequently, a cyber-criminal, might well get unfettered access to your data. Then what? At a minimum you could well be on the telephone and explaining the incident to the Information Commissioners Office. You’ll probably have to defend your business reputation. These stories don’t have happy endings.
Imagine what a third party might do with your data, you might have a ransom request, data published on line, sold to a third party, or even worse, a competitor?
Imagine if an employee had their BYOD stolen or lost it and it wasn’t password protected. What data could the ‘finder’ obtain?
Cyber criminals will lie in wait
The above isn’t a perception of what could go wrong. Unfortunately, the frequency of fraud and data loss via BYOD is on the increase, and cyber criminals can be patient. They will sit on your network unobserved until they sense a ‘jackpot’ moment. By then it’s too late. You must prevent them getting through the gate that is too often left wide open.
If you’re going to allow your employees BYOD, then do the right thing, secure the devices, insist on rigid security requirements, provide guidance and advice. If you don’t, have an Incident Response Plan ready, as you may well need it.
Need further assistance?