In October, the Government's Communications Electronic Security Group published new guidance for employers who permit their employees to use their own laptops, smart phones and tablets for work, otherwise known as Bring Your Own Device ("BYOD").
According to the Information Commissioner’s Office (ICO), 47% of UK adults now use their own personal devices for work purposes. A policy permitting the use of personal devices in this manner can have significant benefits for organisations, however such permitted use also carries risks including a lack of control for the employer, the risk of the device being lost or stolen and the security of the information stored on the personal device. Taking account of the new guidance should help employers to manage these and other associated risks effectively.
The new guidance promotes the following:
- Implementing specific BYOD policies to ensure good practice. This approach is similar to the recommendations made previously by the ICO in 2013;
- Employees should receive training about what the BYOD policy permits and good security practice;
- Creating awareness of the responsibility that employees have to exercise good security measures (especially in terms of password protection) and the potential consequences of not doing so;
- Considering what information can be accessed from employees' own devices and limiting device access to certain data and services;
- Introducing increased device support and security controls to manage mobile device usage for business purposes;
- Having plans in place to mitigate loss and risk if security incidents do occur. This may also include having action plans to wipe sensitive data if devices are lost or stolen from remote access points.
A full copy of the guidance is available here.
Although there may be some costs involved in implementing such measures, these costs must be weighed up against the potential financial and reputational risks that could result if breaches of Data Protection law occur. Consequences for serious breaches could result in fines of up to £500,000 being imposed by the ICO.