Are you using Bring Your Own Device – BYOD – to save money?
If you are, that is perfectly acceptable. One of the benefits to business of Bring Your Own Device (BYOD) is cost reduction on buying such items as smartphones and tablets – transferring that expenditure to the employees. The employees in turn get the benefit of using their own device, (which is probably of a higher specification than the one the office would buy for them), and they do not have to carry two devices around with them.
Now people can work from wherever they are.
That is just the start of the benefits and they vary from organisation to organisation for both the business and the employee.
If everyone benefits, surely there is no downside?
I will not ignore the quality-of-life issue for staff. Right at the start of any BYOD project, it has to be clearly decided when staff are expected to respond to business messages and emails.
However for this blog I want to start to look at some of the cyber security issues of BYOD and the way it exposes your information to abuse. (Flores, Qazi and Jhumka. 2016)
Risk
Most of the use of BYOD I have seen has happened in two ways – by osmosis without any thought to planning, or as an exercise to simply save money. No consideration has been given to the risk of exposure of sensitive company information held on equipment that the company has little or no control over.
This risk needs to be discussed, appreciated and then the BYOD project needs to address:
- The appetite of the organisation for risk
- The management of expectations for all parties
- The clear specification of the category of devices that may qualify for BYOD
- The roles and the tasks in the organisation that are excluded from BYOD
- The use of the principle of least privilege to control what information is exposed
- The use of technical solutions to limit the risks
- The insider threat
This is not a conclusive list and every organisation will have further sub-headings to their BYOD project. Just start the conversation inside your business and see what arises and what sensitive information is exposed!
However, every organisation needs to consider that whatever is laid out in the policy and whatever the intentions of the team members to follow those policies, there will be times when they do not and that is where active cyber security support for BYOD will make it work. (Hovav and Putri. 2016)
A Quick example of a real-world BYOD solution
I have spent a lot of time with our WordPress specialist discussing and exploring the cyber security of the world’s most popular website platform and one of the issues we had to solve in a BYOD context was the use of the WordPress app on iPhones.
The first step we take when we configure WordPress securely for a client is to determine the roles of each user, set those roles and enforce multi-factor authentication for everyone without exception.
But that did not work for one particular client. Here is the scenario:
- A senior member of their team blogged continuously from their iPhone
- They only used the PC occasionally for blogging and WordPress administration
- consequently, they needed full administrator privileges
- The MFA solution did not work on the WordPress app on the iPhone – so either they had to disable MFA or stop using the iPhone – now this was a senior member of staff who wanted both! (Remember what I said about managing expectations.)
The solution in the end was simple – we gave this person two accounts, an admin account they use on their PC and an author account they use on their iPhone.
What do you need to do?
You or your cyber security consultant need to tackle your BYOD today. The example above was a simple illustration of a BYOD issue – you need to look at how your people are using their devices, examine the risks and then take the appropriate action to limit unacceptable risks.
Clive Catton MSc (Cyber Security) – by-line and other articles
References
Flores, D. A., Qazi, F., & Jhumka, A. (2016, August). Bring your own disclosure: analysing BYOD threats to corporate information. In 2016 IEEE Trustcom/BigDataSE/ISPA (pp. 1008-1015). IEEE.
Hovav, A., & Putri, F. F. (2016). This is my device! Why should I follow your rules? Employees’ compliance with BYOD security policy. Pervasive and Mobile Computing, 32, 35-49.
