BYOD: have you managed the change?

For those of you that read our blog regularly, you will know that in December we referenced how ‘bring your own device’ (BYOD) would continue to be one of the dominating security themes in 2013. Research released last week from the ICO and YouGov reflected this trend. Overall, the poll of over 2,000 British adults found that employers appear to have a laissez faire attitude about allowing their staff to use their personal laptops, tablet computers and smartphones for work. 

Looking at the figures in more depth, the survey shows that whilst 47 per cent of all UK adults now use their personal laptop or smart device for work purposes, less than three in ten are given guidance on how to do so securely. The YouGov survey also shows that email is the most common work activity carried out on a personal device, accounting for half (55%) of people who use their own devices for work purposes. This was followed by 37 per cent who used a personal device to edit work documents and 36 per cent to store work documents — many of these activities are likely to involve the processing of confidential or sensitive information. 

The survey comes as the ICO publishes a free guide to help CIOs address some of the main issues around properly protecting customer, patient or personal data in a BYOD context. 

To some extent, the culture of BYOD has developed as a direct result of companies saving money by not purchasing dedicated corporate devices for their staff. The problem comes when they cut corners on securing these devices within the corporate network. We know that, essentially, people use their own devices to suit their needs and ultimately to be more productive, which is commendable. 

Many organisations have policies in place regarding the use of such devices, but the proliferation of smart devices means that another level of protection must be added as once that device holds company data; it needs to be covered by the company’s security policy. These devices are not just an entry point into the corporate network; they are also an exit point. Businesses need to consider what happens to the data stored on these devices when the individual leaves the company. There needs to be a policy and a process to ensure that corporate information has been appropriately removed as part of the leaving process. From a more mundane perspective, the company also needs to ensure there is a policy relating to when the device breaks or is lost to ensure that the productivity of the individual is not compromised.

Any organisation that does not take BYOD seriously is simply setting itself up for a data breach which will ultimately be more costly to the organisation (in terms of revenue and reputation) than dedicating some time to updating and enforcing the appropriate security policies.