I have worked closely with companies who have quite relaxed
policies on BYOD (Bring your own Device).
They liked the idea that if an employee wants an iPhone, this was OK,
as long as they paid for it. Personally;
I blame Ryanair. People are always telling me what a clever business Ryanair
is. They even charge their employees for
training and uniforms.
I’ll resist the Ryanair tangent for fear of this turning in
to a customer service rant and I have strong views on business culture. My point, however, is a simple one. A BYOD device is another device on your
network. It’s a MAC address with a set
of permissions. Allowing a BYOD access
to a network or allowing access to your corporate email system can be little different
from allowing an uncontrolled device to connect up remotely to your business critical
data.
Socially it is expected. It might be small and hugely featured but it’s easily lost
and exposes the weak underbelly of your whole business system. In short; it’s a disaster waiting to
happen. Your BYOD is possibly linked to
a cloud service such as Dropbox or iCloud.
It’s a high resolution camera which might be used to photograph that
White Board so you can write up the notes later.
Remember James Bond with his mini cameras in the classic Bond
movies? Well now we all carry one. Ours are better actually as they don’t need
developing and they transmit and sync our images almost instantaneously to the
cloud whilst our phone is in our pocket.
Now let’s look at email.
I know of situations where member’s of staff have had both personal and
work email accounts on the same BYOD. This
enabled them to forward work email to their home account (with attachments) with
no record on the business exchange server other than the email had been read! This is a security haemorrhage point and
nobody really seem that bothered.
Of course you will be thinking that the Cloud services,
email policy and even the camera could be controlled in a switched-on company. You are probably right and of course they
should be. My point is really one of
attitude.
We all carry these devices with Gigabytes of data on them in
and then out of our business worlds.
They soak up data and information about our habits and movements and
they record highly sensitive data.
BYOD need to be controlled – just like any other business critical
device. Ownership actually complicates
the situation. They need to be controlled,
audited and the risk assessed. Staff
need to be trained. Ownership of the
data needs to be considered with great care and attention. Policies need to be written, implemented and
measured. People need to be
trained. BYOD is not a panacea to cheap
technology infrastructure. BYOD could
become your worst nightmare.
Lastly; what happens when the employee leaves? Is the demarcation
of personal data and business data a clear one? – probably not. If their personal iPhone has been linked to
their home PC (and it probably will have been) then you don’t just have the challenge
of you data being on one device but probably many. Not only that but you probably have no idea
where your business data is.
By its very nature BYOD puts your data in an uncontrolled environment. Phones and tablets are lost and stolen in
huge numbers every day. On average a
London taxi has a phone left it in once every day! The disposal of data and devices upon leaving
the business is an HR minefield and a risk most businesses haven’t even
considered.
Bring you own device? - Bring your own Databreach!
No comments:
Post a Comment