Crafting your BYOD policy
Imagine a situation where a third-party knows exactly what information concerning your business relationships with suppliers, customers and competitors is on your employee's iPad, but you do not.
Not a risk for you? Then imagine a situation where confidential or sensitive business information is leaked because it exists on an employee-owned device and that device is stolen or left on a train.
If you allow employees to use their own devices for work, it could happen today or next week. Your information could be leaking right now.
If not now, these are exactly the situations that are likely to face businesses more often in the next five years unless steps are taken to actively manage BYOD policies for the benefit existing information governance frameworks.
Opportunity knocks...for miscreants
Let's face facts: BYOD is not new. For many years, individuals have been finding simple ways of enhancing their own productivity by using personal devices for business purposes.
However, BYOD presents an opportunity for would-be information thieves and not in the ordinary sense. Cyber security attackers could target businesses with no formal BYOD policy.
Attackers are known to drop USB data keys in company car parks: If an employee inserts one into their computer, the software on the key can infect the machine with malware that can be used as the basis for attacking the company’s network and stored data.
What’s your policy?
The task of drawing up an organisational BYOD policy is complex and should not be considered a ‘once-off’; new products enter the market at a highly frequent rate and updates to local laws can have an impact on existing BYOD frameworks.
As a minimum it is suggested that the following components should be addressed in any BYOD policy:
• Risk assessment:
As a starting point, you should recognise that information, rather than the device is the critical issue in the BYOD debate.
Risk assessment should begin by asking what information you are trying to protect and what information you would need to be able to access in any given situation.
Organising your business information into clear and recognisable categories is essential to any document management policy, especially one related to BYOD.
• Ownership of information:
Consider who owns the information that may be held on an employee-owned-device (EOD) and what rights you consider that the employer has to access it directly from the device.
• Ownership / registration of assets:
Since assets can be numerous, it is a good idea to consider the extent to which only registered assets may be used. If an employee chooses to use a non-approved device, it may be possible to detect its use through monitoring the registry of a hard drive.
• Right to audit devices:
Make sure that the right to audit and access information is clearly understood between the employer and the employee. Finding that you are unable to examine an EOD could be highly problematic if the information is needed in a time-critical situation.
• Security of business information:
For BYOD to work, employees must agree to some controls designed to safeguard the information stored on their devices. At a basic level, encryption can be used; consider applications to wipe the device remotely in the event of a potential data breach.
• Sensible curfews to the permissible use of EODs should be issued:
For instance, employees should know never to plug an unrecognised device into a business network computer. Similarly, it may be helpful to devise rules that govern the use of webmail from a home PC, or in an internet café.
Whatever your BYOD policy looks like, you need to ensure that it is relevant, up to date and clearly communicated to all employees, with appropriate mechanisms to aid enforcement at critical times.