New technologies bring with them new ways of accessing data, new types of devices, and exciting alternatives to traditional PC platforms. These dynamics have generated a trend towards using mobile devices in the workplace.
Bring Your Own Device (BYOD) is an expression to refer to corporate policies that allow you to bring your personal devices into the workplace , and use them to have privileged access to corporate information and their applications.
BYOD includes more than just personal computers. It means that employees can use their own smartphones, tablets, ultrabooks and much more to do their job.
The BYOD concept can be extended to software and services, as users could use cloud services and other online tools.
The practice of BYOD is making significant inroads into the corporate world, with approximately 75% of employees in developing markets, such as Brazil and Russia, and 45% in developed markets already using their technology at work.
WHAT ARE THE RISKS?BYOD is a solution but also a new risk . The organization is faced with the need to ensure the security and privacy of data on devices that it does not fully own or control.
Security issues are related to:
• Protection of sensitive data and intellectual property;
• Securing the networks to which BYOD devices connect;
• Responsibility for the device and the information contained therein;
• Removal of organization data from employee-owned devices upon termination of employment or loss of device;
• Malware protection.
It's risky to think that prohibiting the use of personal devices in the company will solve the problem: employees, executives and/or top management will continue to use them, outside of your control and regardless of your security policies.
All companies have the flexibility , depending on their regulatory and business ethics requirements, to use BYOD in the way they see fit.
WHICH COUNTERMEASURES TO TAKE?In order to support the management of the risks introduced by BYOD and the use of mobile devices in general, the organization should define a corporate policy that takes into consideration at least the following aspects:
- ways of separating the private and business use of the devices
- the requirements for their physical protection ;
- requirements for mobile device software and patching;
- protection mode against malware ;
- how to use in public areas , meeting rooms and other unsecured areas
- ability to arrange for remote data wipe by the organization in case of theft or loss of the device or when no longer authorized to use the service
Furthermore, training sessions should be implemented in order to raise staff awareness of the additional risks arising from the use of BYOD in the company and the controls that should be implemented.
Further information and guidelines on the use of mobile devices and BYOD are given in the ISO/IEC 27002:13 standard (Control 6.2.1 Mobile device policy).