The National Cyber Security Centre has published updated guidance on Bring Your Own Device (BYOD) practices for organisations. The guidance includes general advice for organisations on enabling staff to use their own smartphones, tablets, laptops and desktop PCs to access work information.
The primary audience for this guidance will be large and medium sized organisations considering, or already allowing, employees to use their personally owned device(s) for work purposes. However, the measures suggested will be useful for any technically adept organisation.
The guide describes the key security issues that you will need to consider in balancing usability and risks in such a ‘Bring Your Own Device’ (BYOD) scenario. The NCSC also suggest measures which you can use to mitigate these risks.
BYOD is the concept of employees using their personally owned device(s) for work purposes. With BYOD, an organisation has ownership of the corporate data and resources that may be accessed or stored on a device, but the device itself is the property of the user.
As devices and platforms have become more capable of being used in a work context, the concept has matured from its initial roots and aims to:
- Give end-users the ability to use IT they feel comfortable with
- Reduce overheads for the organisation in terms of procurement and provisioning of corporate devices
- Enable flexible (including remote) working
- Increase productivity
- Provide redundancy to business and organisations when workers are unable to access their main places of work
While BYOD shares some of the risks and mitigations inherent with other flexible working solutions, many of its challenges are unique.
The effectiveness of BYOD data protection depends upon:
- How thoroughly the device can be managed (how much this is allowed by the owner).
- How well considerations of usability have been balanced with security.
The COVID-19 pandemic has seen more and more organisations focused on enabling remote and flexible working in whatever ways possible to ‘get the job done.’ BYOD has seen a surge in popularity.
However, ensuring that these new ways of working can be sustained in the longer term will likely require some revision of practices that have been implemented hastily, particularly as the risks and rewards to an organisation become clearer.
Although the conceptual aims of BYOD are an attractive prospect to most organisations, it comes with a conflicting set of security risks and challenges.
BYOD security challenges for organisations broadly include, but are not limited to:
- Ensuring personally owned devices and their owners comply with company policies and procedures
- Increased support for a wide range of device types and operating systems
- Protecting corporate data
- Protecting corporate infrastructure
- Protecting the personal privacy of the end-user/device owner
- Ensuring legal compliance and meeting contractual obligations
The security challenges of BYOD should not be played down. However, with the right technical controls and policies in place, the risks inherent with BYOD can be minimised.