BYOD: The critical balancing act
How can organisations allow employees to use their own devices to access corporate information securely, within parameters set by management?
Both the public and private sectors are faced with a conundrum. On one hand, the productivity benefits and flexibility that the BYOD trend is enabling allows employees to work when and where they want, bringing the latest technology into the workplace without the capital investment. On the other hand, the influx of consumer devices into the workplace has put a lot of corporate data at risk.
The harsh reality is that information breaches are increasing at a significant rate year on year. At face value it seems that no matter what controls or defences an organisation puts in place, the breaches just seem to continue. So where can we find the balance between huge productivity gains and securing corporate data, as neglecting either element will be detrimental to an organisation.
Where has the threat come from?
With budgets restricted over recent years, organisations have been looking for innovative methods to retain staff, reduce costs and provide a more flexible working environment. BYOD has offered solutions to all three of these issues, allowing staff to use their own devices to access organisational information. While this may at first sight, offer significant advantages, allowing employees to work wherever they are, using the latest technology and familiar devices, there is a significant threat that goes hand in hand with this practice.
The very real danger of information leakage or theft is one of the barriers that has seen some organisations flatly refuse to allow employees to use their own devices and potentially impede productivity. Some organisations only allow access to non-sensitive information from consumer devices, whereas others will only provide access to organisational information from devices that are owned and managed by the organisation. So, in comparison to the gains to be made from BYOD, how do the risks weigh up?
The reality of the threat
The 2013 Data Breach Investigations Report from Verizon, analysing 19 global organisations, found that a total of 47,000 security incidents had been reported with 621 confirmed information breaches in a single year. Over the entire nine year period up until the end of 2013, the number of security breaches exceeds 2,500 and a staggering 1.1 billion information records were compromised, showing a clear upward trend.
Seventy-six per cent of the breaches listed in the Verizon report came via the network with access being granted by the exploitation of weak or stolen usernames and passwords. Rather tellingly, 92 per cent of the attacks took place from the external perimeter and not internally.
The more you look into the figures, the more they appear to get worse and the impact of the loss grows as the number of information assets are breached. This makes it even more critical for organisations in the public and private sectors to develop a holistic approach to protecting information assets.
From a specific UK standpoint, the Information Commissioner’s Office (ICO) in 2012 identified 821 information security breaches across the UK private and public sectors. The consequences of these breaches include the misappropriation of personal information which can be used for illegitimate means like identity theft. Additionally such breaches bring financial penalties imposed by the ICO, totalling more than £2.6 million from 23 organisations up to June 2013. Last but not least, a breach can cause irreparable reputational damage to the organisation in question.
These statistics make it abundantly clear that using consumer devices to access corporate information carries a significant risk, yet the benefits that it brings to productivity cannot be ignored either. So how can organisations allow employees to use their own devices to access corporate information securely, within parameters set by management? There is no point in implementing BYOD under such severe controls that mean the true benefits cannot be harnessed.
A critical balancing act
Organisations should implement a common approach to how information assets are handled, which prevents the risk of information leakage or loss of assets that contain organisational information. This also ensures in the event information loss does occur, organisations have the evidence showing what measures were implemented, allowing them to soften the blow considerably.
What can organisations do?
There is no silver bullet that organisations can implement that protects all of their information assets, but following a methodical, common sense policy will allow them to have the best of both worlds.
Keep only what is necessary
The Data Protection Act mandates that organisations should only retain information for as long as is absolutely necessary. With this in mind organisations should determine the information assets that they need to retain and all other information assets should be securely removed or deleted. This reduces the quantity of information that needs to be protected/managed and allows for greater focus.
Know your controls
Each organisation will have a specific set of security policies that describe the industry specific technical controls that are mandated or recommended that should be in place. The controls are there to provide guidance on the types of controls that need to be in place to protect the individual assets with that organisation.
The difficultly with most of these controls is they simply describe the “what” should be done, but what is lacking is the “how”. Organisations should seek advice from consultancy organisations that have in-depth experience and rooted knowledge on the specific industry security policies that are relevant to the organisation.
People are the weakest point in any organisation. Employees should be trained around why they need to be responsible and the implications of what happens if the information is lost, stolen or damaged. The most important educational outcome which is obtained by continual training is the people within the organisation know what is right and wrong, and when they need to report something out of the ordinary they know what and where they need to go
The Security measures that are put in place by any organisation are simply not a blanket that can be used to cover everything up. Security is the continual weekly, monthly and annual assessment of all controls that are in place, the education/training that is provided, the correct balance of information assets the business requires and the tracking of where they are
The key is to define policy before taking any action. BYOD is not a trend that can be avoided, but one that must be embraced. For its full potential to be untapped, this must be done on the terms of the organisation in question. It is a difficult balancing act but it is one critical to the security and productivity of the company going forward.
Sir Malcolm McKibbin is to join the board of Co-operation Ireland after five years as top civil...
The DVLA chief executive explains to Civil Service World how the agency has been transformed...
Supplier Capgemini to train civil servants and help departments develop robotic process...
Former foreign secretary said there was a ‘lack of confidence’ in the ministry when he took...