Guidance for organisations on security issues and solutions related to BYOD.

What's the issue?

There are huge benefits to flexible working and an essential element is being able to connect to work from wherever you are.  In some cases, this is done using company devices but, increasingly, employers are allowing employees to use their own devices. The 'Bring Your Own Device' (BYOD) approach can bring greater flexibility and lower overheads but it also carries a number of risks, particularly in the area of security.

What's the development?

The government has published new guidance on BYOD for businesses and the public sector (Guidance).  The Guidance has been produced by the Communications-Electronics Security Group, the information security branch of GCHQ.  It focuses on data protection and security issues.

What does this mean for you?

This Guidance is aimed at organisations considering a BYOD approach and as a reminder for those already allowing BYOD.  It sits alongside guidance published by the Information Commissioner (see our Global Data Hub article) which focuses on the data protection issues around BYOD.  Organisations may find the section on network architectural approaches which sets out a range of different scenarios, highlights the risks involved and makes recommendations for minimising those risks, of particular interest.

Read more

The Guidance makes a number of recommendations, in particlar:

  • understand the legal issues – these include data protection and the impact of BYOD on commercial agreements, for example software licences which may restrict the use of company software to devices owned by the company;
  • create an effective BYOD policy – this should be informed by the network architecture which should prevent unauthorised devices accessing sensitive business or personal information and by ensuring that authorised devices are only able to access data and services the employer is willing to share. The Guidance underlines that a policy which is too restrictive and impacts on the usability of the device may be counterproductive;
  • limit the information shared by devices – particular attention should be given to whether the device backs up data in the cloud;
  • encourage staff agreement – it is important to educate staff about security issues;
  • consider using technical controls – these can help an organisation remotely secure, manage and support personal devices.  In particular, they should protect against data loss by ensuring data is not stored locally, and use effective authentication methods;
  • anticipate increased device support – organisations may need to support a greater number of device types;
  • plan for security incidents – have effective procedures in place to ensure a rapid response including considering a remote wipe feature;
  • consider alternative ownership models – these might include allowing staff to choose from a selection of approved devices which are purchased and controlled by the organisation; or allowing company devices to use personalised features.