BYOD is on the rise, bringing a new level of risk to information security management. In response, developers are racing to launch new technologies to manage and secure employee-provided devices. But are we focusing too much on the tech? Keith Ducatel outlines the behavioural considerations that play an equally vital role. Although BYOD has largely focused on employee-provided smartphones and tablets so far, many predict that laptops and even the odd desktop will soon follow. A vision has been proposed of total flexibility, in which the employee gets to work on the equipment they most enjoy working on – greatly boosting the productivity of the organisation. In fact, I see some commentators have gone so far as to cite the rise of BYOD will threaten the traditional role of the CIO. I wonder whether this is the real reason why 180 IT directors just told Insight UK’s mobility survey that they weren’t currently implementing a BYOD strategy? They said things like ‘hidden costs’ were preventing them, but perhaps long-term job security is the secret driver here! As this perhaps demonstrates, we need to be careful about the hype. BYOD is a huge area of debate. Does BYOD add value? Insight UK’s study says it does, with 82% of companies that have introduced a BYOD policy noting visible improvements to staff morale. Is BYOD the essential next step for all organisations? Whilst many commentators say yes, perhaps the more realistic answer would be: depends on the nature of the organisation and its employees. Is BYOD worth the additional risk to an organisation’s information security management? This is the question that CISOs and CIOs are currently battling with. BYOD increases information security management risk, and the recent Executive Council and Galvin Consulting survey of 100 CISOs reveals a range of concerns. My specialism is the behavioural aspects of information security, so I’ll restrict this article to just the key areas of BYOD risk in that sphere – outlining a few key messages for each. But first, I present two underlying concepts that provide strong psychological context to those messages. Underlying concepts One concept to convey is that your IT network is a carefully configured system that serves to protect the integrity of your information as much as it serves to help employees carry out their roles. They must understand that plugging in a device that isn’t carefully aligned with that IT network is like knocking a hole through your kitchen wall before you head off to work. The front door and windows may be bolted, but anyone can get in. That’s just a quick crude metaphor for the purpose of this article, and there are many compelling visual ways to help contextualise the dangers. Another relevant underlying concept is privilege. For many organisations, BYOD isn’t strictly necessary. But even organisations that see it as an enabler can still communicate their BYOD policy as a perk rather than a procedure. A culture of privilege inherently communicates that behaviour must be exemplary in order to attain and retain the reward. Three key threats Care of the device: Having yet another device with company data on it going back and forth between home and work increases the threat of theft and loss. Most employees transport a phone with company email on it. Many employees also transport a laptop. If you haven’t already communicated a device transportation policy, then now is the time to make one clear. The standard common sense measures such as not leaving devices unattended in public or in a vehicle all apply. However, equally relevant to this issue is what you communicate about... Data storage: What data are employees allowed to store on the device? Many information security management policies restrict smartphone and tablet usage to email and Internet browsing only, with a ban on all confidential information being held on them. If your BYOD policy extends to laptops, then what will employees be allowed and not allowed to store on them? Is it practical to force employees to only work on confidential information from a server when in the office? Is taking confidential information home with them acceptable if it’s transported in an encrypted format? Whatever you decide on, this must be communicated clearly. Allowed activities: This is perhaps one of the biggest risks to information security management. The problem is, the device is the employee’s own, so there’s a natural compulsion to do whatever they want on it. For example, downloading apps onto a smartphone or tablet, installing freeware to perform tasks such as accounting, plus any shall we say ‘erroneous surfing proclivities’. All of these activities greatly increase the risk of downloading viruses and malware. Employees must understand that as soon as their device comes into contact with corporate data or a corporate network, all of the organisation’s acceptable use requirements come into effect. The device can no longer be used as one might use a purely personal device. This is where the two underlying concepts outlined earlier can potentially have the strongest reinforcing effect. Behavioural education Let’s not forget that it’s the way that employees use their devices that presents the risk. That makes it a behavioural issue. So to focus too much on the technical aspects of security is only solving half of the information security management problem. A blatantly careless action executed out of lack of knowledge renders all software security useless. With that in mind, I’m delighted to read GCHQ’s recently released “10 Steps to Cyber Security”, which could be interpreted as placing user education and awareness on the top tier of an organisation’s information security management programme.
Related Articles -
focus, tech,
|