BYOD is the new black – but how should IT policy support it?

The way that end-users access corporate data and systems has undergone a huge revolution since the early days of the mainframe computer. From dumb terminals through to PCs with local intelligence and back again to terminals such as Citrix, access is now increasingly dictated by users themselves rather than a central IT department.

Drivers for the ‘bring your own device’ (BYOD) or ‘choose your own device’ (CYOD) phenomenon, which is now well underway, include the need to let workers in the corporate environment access the consumer apps they have got used to outside the office. Companies can no longer ignore it, and many are now looking for ways in which to embrace consumer devices within their overall IT strategy.

One of the biggest risks involved when allowing employees to use their mobile devices to access and process corporate data is that phones and tablets are generally replaced/upgraded more regularly than PCs, which are normally subject to strict disposal policies.

Part of the challenge is that many users choose to cash in on their high-value smartphones by recycling them. Many sellers could be unintentionally giving away highly sensitive data along with their outmoded phone.

Personal emails and photos are not the only information at risk- corporate data is also extremely vulnerable to theft. According to a study conducted by ICM Research on behalf of Kroll Ontrack, 10 per cent of employees in Britain now carry work data on their personal device – a smartphone or tablet that could easily be sold on eBay for some extra cash to purchase an upgrade in a few months’ time.

It’s not just recycling that poses a threat to corporates with a BYOD policy. Phones can get lost, damaged and forgotten about when it comes to back-ups. Data on mobiles is normally a mixture of personal and corporate information, and when employees leave the company that data goes with them.

Unfortunately, clicking a delete button or removing a SIM card before recycling the handset does not safeguard the information saved on the phone, leaving sensitive information easily accessible by the next owner. Erasing data require a bit more work.

Retrieving information is easy for professionals, and it’s not only possible to recover files that are deleted but also to retrieve data from damaged handsets or from formatted or corrupt volumes – even from initialised disks.

Smartphones have different settings depending on their model so consumers need to follow the specific steps in the phone manual to erase their data records successfully.

One option for organisations is to restrict the range of devices that are permitted for BYOD. Maintenance and service issues also need to be defined clearly, even though employees are usually more careful with their own devices than they might be with company phones or tablets.

In further research undertaken by Kroll Ontrack with ICM we found companies that don’t regulate employee usage of business devices with effective IT policies are putting data security at risk.

The research highlights that 38 per cent of UK employees downloaded personal files and 29 per cent of employees installed personal apps or programmes on devices that they also use for work.

Five per cent of people used P2P file sharing services, such as BitTorrent and Gnutella, the same percentage temporarily disabled firewall/antivirus software and 4 per cent of workers cancelled antivirus scans on these devices.

While many of these activities may seem secure, using P2P file sharing services and installing third-party apps can put a device in the path of dangerous malware or viruses, which may damage or corrupt devices, especially if protective software is disabled or not kept up to date.

This poses a major risk to data security: our research found that in the last year, around one in three (32 per cent) devices applied in both personal and work environments corrupted to the point where work information was irrecoverable.

The smaller the company and the more recent the introduction of BYOD, the more likely it is that issues will arise that have not been clarified sufficiently in advance. In this case, all those concerned – management, IT and employees – need to work together to set up the best possible procedures.

But before rushing into a BYOD scheme, employees and management must prepare for the risks associated with bringing personal devices to work. A well-conceived policy would include preparedness: disaster recovery planning that incorporates a relationship with a reputable data recovery provider in case the worst occurs. We advise that organisations consider the following six steps:

1. Keep a register of connected devices
As the IT team connects personal devices to the company network, they should also keep a record of the user and their device details. By maintaining a detailed register, companies can audit their company network regularly to detect unauthorised connections and resource usage.

2. Enforce on-device security
All smartphones and tablets come with passcode controls that restrict access. As part of an employer’s default BYOD agreement, staff should be expected to have the passcode enabled before they are granted access to corporate resources.

3. Use existing network tools more intelligently
Many common network tools and services have functions that make it easier to manage mobile devices. Microsoft Exchange can be used to perform remote data wipes on stolen devices for example. Companies can make full use of these tools to automate common mobile device management tasks and to manage network logons, for example.

4. Force VPN use
All devices now support VPN connectivity in the same way that laptops do. To ensure that data transferred to and from devices is secure in transit, make VPN set-up one of the initial provisioning tasks carried out during the deployment phase.

5. Investigate a proper MDM solution
Businesses that are serious about making BYOD a key part of their IT strategy should invest in a proper mobile device management (MDM) system. An MDM platform allows them to enrol devices, specify and enforce network access rights and even apply content filtering to keep staff focused on work-related activities. It can also be used to deploy specific, pre-approved apps related to job roles to try and prevent staff using unauthorised, untested apps that could be leaking corporate data.

6. Investigate enhanced security tools
For the ultimate data security, companies need a solution that can keep personal and corporate data and apps separate. The latest version of the Blackberry operating system uses a profile-based system, allowing device owners to set up a ‘work’ and a ‘home’ logon which separate apps and data.

There are now a handful of third party solutions that can perform a similar task on iOS and Android apps too. These solutions create a secure partition and force users to use company-approved apps for company-related tasks – this then avoids the danger of data leakage or theft by third-party apps.

BYOD is not going to go away and should be managed carefully, rather than resisted. As the line between work and personal life continues to blur, employees will increasingly conduct personal activities on a device they also work from. This will raise a number of issues for organisations, from data security through to productivity uncertainties.

In our view, businesses should look to protect the assets accessed by mobile devices, both digital and physical. Employers must educate employees on what activities are acceptable; develop a simple, but thorough IT usage policy; and ensure backups are in place and up to date for when disaster does strike.