Bring Your Own Device (BYOD) is an increasingly common IT strategy whereby employers give employees the freedom to work away from the office using their device of choice and has the added advantage of minimising technology and hardware costs, at least in theory.
Whether BYOD does in fact reduce IT spend when viewed from a “total cost of ownership” perspective is debatable, as BYOD by definition requires that organisational systems support multiple devices and multiple operating systems rather than one common platform. Nevertheless, BYOD does present an opportunity to improve employee productivity by enabling those employees to merge their personal and professional lives and work anywhere and anytime. Forget work life balance, today it’s all about work life integration!
However, if not managed properly, these benefits can quickly turn into significant risks to your business as BYOD inevitably means employees accessing company information via a BYOD device, potentially holding a number of unsecure interfaces and applications, and then comingling that company information with the employee’s personal information. The BYOD trend has not gone unnoticed by hackers, with mobile devices increasingly being targeted. And with the use of smartphones and tablets by executives and board members now commonplace, this ups the ante in terms of the type of information which could be exposed.
Manage the risk
In a modern world driven by intangibles, information and intellectual property are among a company’s most important assets. Organisations spend millions, some billions, building highly secure technology systems to keep this data – most of it held electronically - secure from the outside world. This is no small task as the benefits of holding data electronically (volume, currency and accessibility) are also its greatest risks.
Fortunately, today’s security software and other technologies, such as data “sandboxing”, encryption and ring-fencing are continually evolving and can be deployed on personal devices via company networks to guard against an information leak.
However, the effectiveness of these technology solutions depends entirely on the broader security framework within which they are deployed. And at the heart of this framework is the employee.
Securing your data
While organisations rightly focus first and foremost on securing company data against deliberate unauthorised intrusion, many overlook the equally important but less obvious challenge to security from human error.
To illustrate the point, in 2014, the InfoSec Institute reported that worldwide 30% of all data breaches in 2013 were due to human error (which includes the use of BYOD), compared with 42% due to malicious or criminal attack and 29% to system glitches.
To put a dollar value on the cost of human error in this context, the Ponemon Institute study found that each compromised record in a company costs the company around AUD$191. Multiply this by the number of records exposed in Australia, which in 2013 was around 42.5 million, and you have a significant cost to Australian businesses each year – over AUD$8.1 billion, with over AUD$2.4 billion attributable to human error.
It is in the company’s power to reduce the occurrences of security breaches due to the use of BYODs through ‘human error’ or otherwise. How? By having strong and effective policies that are kept current, monitored and enforced.
These policies should create minimum standards for security of BYODs, including password protection and encryption, and backend security protocols for the segregation of business information from personal user information. When employing data encryption, ensure that it is wide enough to protect all relevant information, and have the ability to protect any of that data accessed via BYODs.
To reduce the risk of human error security issues the company should conduct regular training and education, ensuring all employees, contractors and third parties accessing the company understand their responsibilities in the security of your organisation’s data.
These security measures will also aid your company in meeting its obligations under the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) in relation to any personal information that it collects or holds. For example, APP 11 (security of personal information) requires an entity to take reasonable steps to protect the personal information it collects and holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
In the latest ‘Guide to Securing Personal Information’ (Guide), which we discussed recently in our article ‘Privacy Update - OAIC releases 'Guide To Securing Personal Information’, the OAIC provides practical guidance on compliance measures to protect personal information, such as ensuring your company has robust policies in place that staff are aware of and are regularly educated about, and uses similarly robust security measures such as encryption for BYOD devices.
In addition, legislation specific to your industry or the services your company offers may affect whether your company can implement BYOD policies and procedures. Some examples include, the Privacy Act (for example, the health sector), Archives Act 1983 and Freedom of Information Act 1982.
Because BYOD can increase the liability risk to your company, you will need to be ready to deal with any number of issues such as damage to company data (including loss, disclosure, or corruption) or inadvertent damage to an employee’s personal data, software licencing, employee expectations of privacy in the event of a workplace investigation, incident responses, or Freedom of Information requests.
It is important to remember in relation to privacy compliance that the first question to ask is whether it is actually necessary to collect and hold the personal information in order to carry out your company’s functions or activities. Similarly, in relation to BYOD, ask – do employees need to take any company data off-site?
From time to time it will be important that your organisation is able to survey the activities of employees and contractors while physically at work or off-site. Third parties accessing the organisation’s network may also need to be monitored.
To lawfully monitor or check employees’ and contractors’ use of work emails and IT systems in NSW and the ACT without needing to apply to a magistrate, workplace surveillance legislation requires
prior notice of any surveillance activities, which can be done as part of employment policies. There are quite specific requirements around what information must be included and the required notice etc.
It is also worth ensuring your policy has been updated to address BYOD. For example, policies should address:
- the extent to which non-work information can be accessed;
- an ability to compel employees to hand over the device and disclose their password (as password access control can generally only be bypassed with agreement by the “controller of the computer system” - in this case likely to be the employee); and
- your organisation’s rights to remotely locate and wipe the device (and the employee’s obligation to backup information, and a disclaimer of liability if the employer does need to wipe data).
Depending on the type of surveillance being conducted it may also be subject to other legislation, such as the Telecommunications (Interception and Access) Act 1979 (Cth) and/or other State/Territory surveillance devices legislation, which have their own requirements in relation to notice.
Knowing how to implement an appropriate workplace surveillance policy, which extends to BYODs, is critical to enabling your company to act quickly when information is leaked or is misused, or is the subject of white collar crime such as fraud.
No ‘one’ solution
The use of BYODs is becoming commonplace and may keep business costs down; but ineffective security measures to manage the access and use of company data on employee BYODs can cost your company more than any potential savings or other benefits.
Securing your company’s data, particularly when accessed via BYODs, requires careful consideration. It is not a ‘one size fits all’ proposition. Rather, security measures, policies and procedures must be tailored to individual business needs.
Remember that your organisation’s data can only be as secure as your ability to identify the risks and manage them in the most effective and appropriate manner.