“BYOD strategies are the most radical change to the economics and the culture of client computing in business in decades”. – David Willis, VP & Analyst, Gartner
BYOD is a strategy where employees are allowed to connect their personal devices such as laptops, smartphones and tablets to the corporate network to access corporate data. The BYOD strategy benefits the company in several ways like enhanced work flexibility, increased productivity and efficiency of employees. This is why it is being embraced by IT organizations worldwide. A survey conducted by Tech Pro Research indicates that 74% of organizations are either using or planning to use BYOD in the future.
BYOD provides flexibility to employees to work with their own devices and help organizations reduce cost. Along with the advantages, there are several challenges too. Employees can easily access company information on their devices. The influx of employee-owned devices poses a serious threat to enterprise data resources. It may harm the organization if a device is lost or damaged or when an employee quits. So, Information security is a big challenge for IT managers. Information and applications on the devices must be secured. According to a survey conducted in 2015, by Gartner, more than 75% of mobile applications fail basic security tests.
BYOD has spread in almost every unit within an organization such as legal, IT, Human Resources, and Finance. Therefore, it should be controlled across all the departments. BYOD control measures should be taken in technical as well as non-technical ways. Sometimes IT ignores non-technical aspects such as policies and procedures which are very important for privacy purposes. There must be policies and standards under which BYOD can operate.
Information Security is already a mature phenomenon and there are several standards defined around them like:
- ISO 27000 Series standards (known as ISMS Family of Standards) jointly published by ISO and IEC for information security1,
- COBIT (Control Objectives for Information and Related Technology) created by ISACA for IT management and governance it allows manager to bridge the gap between control requirements, technical issues, and business risks2,
- SOGP (Standard of Good Practice) published by Information Security Forum to provide a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains3,
- ITIL (it is based on ISO 27001 standard)
Though there are universally accepted standards to secure data, using them on personal phones and devices invites employee restraint and push back. E.g. Location tracking technology is very helpful in case device is lost, data can be easily restored. However, people feel it’s an invasion to their privacy4. MDM software used by IT to remotely access device gives them a feeling of intrusion. MDM agent on a device with access to personal files, pictures, and music, disturbs their privacy. Though it doesn’t mean that users are absolutely incorrect. Personal devices always have some private and confidential information such as passport details, biometric information, financial as well as medical information which can be misused.
An effective BYOD system would be a perfect blend of organizational as well as private data security concerns. BYOD has impacted various organizational resources and assets such as data, networks, communications, applications, and devices. It should be able to manage in a controlled way so that it may not harm any resources or data along with users’ privacy. It is essential to consider the points mentioned below before implementing BYOD standards & policies in an organisation5:
- Legal & liability aspects,
- Impact of security and privacy controls on BYOD users,
- Technical control measures,
- Perception and behavior of users,
- Information security standards and procedures,
- BYOD awareness and training program.
Legal & Liability aspects should be checked first while implementing a BYOD policy. In case organizational or private data are exposed, no one wants to take responsibility. Therefore, before putting control measures into action, liability should be defined properly by the legal department and legal ramifications of damages must be fixed.
The impact of Security and Privacy controls on BYOD users is necessary to be considered before enforcing any action.
IT should use technical controls which secure both organizational as well as BYOD users’ personal information.
Perception and view of employees must be considered by IT before making and implementing any BYOD policy. Users’ positive attitude can reduce organizations and users’ liability when any security or privacy breach occurs.
IT should ensure that all Information security standards and procedures have compliance with national as well as International legal laws.
Many employees might have never worked in a BYOD environment and unaware of the threat of losing private or organizational data. BYOD awareness and training program immensely help them to understand how they should work. Training program educates them about the International Privacy Principles and Security Standards.
New and existing employees must have knowledge of the International Information Privacy Principle. According to Privacy International, an organization working to safeguard privacy, “The first law was passed in 1970 in Germany. Later, similar data protection law ‘Fair Information Practices’ developed by the US. The UK also started taking initiatives to safeguard people from threats of private companies by establishing a committee. Further, National laws have been developed by many nations such as US, Germany, Sweden, and France. In 1980 the Organization for Economic Cooperation and Development (OECD) developed its own privacy guidelines.6
Some basic privacy principles outlined in these drafts are:
- Data collection limit: There should be a limit to personal data collection. Data should be obtained in a legal manner with prior consent of the individual.
- Relevance of Information: Information should be accurate and relevant for the purposes it is being used.
- Purpose of obtaining information should be defined: Data should be used for the purpose it is defined for. Information should be deleted once it is used or no longer needed.
- Protection of Information: Security measures should be taken to protect personal information from getting lost, misused, disclosed and modified.
- Individual involvement: Every individual has a right to involve for the information taken from him. A person can ask for deleting information once used7.
A good BYOD system is where an organization or personal information both are secured. IT must understand the level of adoption, legal laws and procedures and controlling measures. All the possible threats, challenges and risks pertaining to it should be analyzed so that probability of information damage could be mitigated.