Scattered access: Data security in a BYOD world

 

The bring-your-own-device (BYOD) phenomenon is undoubtedly one of the hottest topics in technology and can be found on the agenda of any IT conference. It will continue to be one of the leading IT projects for many organisations through 2013.

The proliferation of personal devices from Apple, Android and BlackBerry has resulted in many people carrying two or more gadgets – often a corporate BlackBerry, their own personal iPhone and possibly also an iPad or other tablet.

While the firm may provide the BlackBerry, in many cases partners and employees (for simplicity called ‘employees’ from this point forward) would prefer to use their own device rather than the corporate-enforced handset.

In simple terms, BYOD allows employees to choose their own mobile devices and to bring them to work. IT teams are increasingly being approached to connect these personal devices to corporate IT systems and it is impossible to ignore this trend.

BYOD is a method of helping to improve productivity; a recent survey suggests it can add an extra hour to the normal working day as well as support more flexible working patterns. However, there are a number of points which must be considered and addressed before a successful solution can be implemented.

Technical security measures

Securing the organisation’s data should be a primary concern for all businesses. In the professional services sector, a typical firm will already use BlackBerry devices which are secured and managed through a BlackBerry Enterprise Server, a platform which provides encryption, security and management.

However, the move to a multi-device, multi-platform environment is more challenging, as each device has its own security concerns and capabilities. While it is possible to use the mobile data synchronisation application provided by Microsoft (ActiveSync), this only offers a basic level of security – normally a PIN code or password – which is unlikely to stop a determined hacker.

The widely-accepted method of securing a disparate range of devices is to implement a mobile device management (MDM) system, which provides the platform for properly managing smartphones and tablets.

There are a number of widely used MDM systems on the market. Typically, an MDM system will allow you to:

• administer a security policy. For example, you will need to enforce a password or PIN code, encrypt the device (as required by the seventh principle of the UK’s Data Protection Act) and set an automated lock on the device.
  
  ?In addition, you must be able to wipe the device, which is particularly important if it is lost or stolen. Data wipes take two forms: a complete wipe of all data or a selective wipe, where personal data is left intact but all corporate policies, settings and data can be remotely and selectively wiped.

• remotely track a device, which can assist with locating a lost or stolen device.

• distribute and manage apps (including third party and internal apps).

The last point is an important one, as the danger is not just losing a device and the corporate data stored on it, but also the threat of malware or viruses, which are becoming increasingly prevalent on mobile handsets.

There have been numerous cases of malicious apps – available on major app stores – which harvest sensitive data and report it back to a third party who then has access to your contacts, emails, SMS messages, phone call logs, location, passwords and potentially even your bank account if you have a mobile banking app. The importance of distributing and managing antivirus and system protection software should not be underestimated.

When securing a device, there are many issues to consider, and ensuring you comply with the Data Protection Act should be one of them. If you are using your smartphone or tablet for work purposes, you can safely assume that client information such as contact details, emails and documents will be available on your device.

While most devices now have an option to back up your data, most of the backup systems send your data into ‘the cloud’, which can also be read as “somewhere on the internet, you don’t know where and neither do we”.

In all seriousness, cloud-based backup services such as iCloud often have no defined home and your data can automatically be moved between data centres in different countries or continents. It is entirely possible that your sensitive client details are stored outside of the European Economic Area, a situation that leaves you in breach of the Data Protection Act unless you have specific consent from your client, which is of course unlikely. Therefore, an important step in securing and managing a device is disabling cloud-based backups.

Mobile device policy

After you have purchased and implemented an MDM system the work is far from complete, as there are numerous non-technical points to consider with a BYOD strategy.

The creation of a mobile device policy is essential and some of the questions and considerations are listed below. In order to help develop the policy and answer some of these questions, you will need involvement from HR, finance and the senior management team, as well as some legal input.

Starting with the device procurement, the question of who owns the device is very important and impacts on many of the questions you should be considering. Also, there are ongoing security and process points which should be deliberated before they are added to the policy document.

Support

Are your employees willing to purchase, support, manage, repair and replace their own mobile devices?

In many professional services firms, the IT team are familiar with and fully support a small selection of (primarily BlackBerry) devices. But, if employees are able to select any device on the market, the complexity increases significantly and many IT teams will be unable to adequately support such a wide range of devices and operating systems.

Choose your own device (CYOD) assists with this, as the firm publishes a list of device and operating system combinations that it would be happy to support if employees buy devices themselves.

Whichever route you decide upon, the firm and employees will have various support and ownership responsibilities and these should be documented in the policy.

Cost

Are you happy to allow your employees to select their choice of device from any mobile network, or would you rather limit their choice using the CYOD approach and subsidise the cost, perhaps through a corporate contract with a chosen mobile network?

While BYOD is often perceived as beneficial, some employees may consider that the cost of the mobile device is now being offloaded onto them, so this should be considered carefully.

If a device is chosen and paid for by an employee, is he then happy to use a fairly large proportion of his monthly data tariff for work purposes?

If you subsidise the cost of the initial purchase or the monthly subscription, this could have tax implications, so input from your finance team is essential.

Also, how do you manage any extra costs such as telephone call charges and roaming data usage? Who pays for these and what is the procedure, if any, for reimbursing the employee?

Security

If the device belongs to an individual, how does he feel about a corporate security policy being applied that may limit some of his smartphone’s features?

As mentioned earlier, the cloud backup will almost certainly be blocked, but how does the employee feel about this? It may be that he is using the device for taking family photographs, which he will want to back up.

Also, the employee may not have a password on his device, but the security policy may enforce the use of a password and set the device to auto lock after 30 seconds of inactivity.

These potential points of conflict must be considered and included in the policy document.

Employee privacy

The policy should be clear that the device is being monitored and managed.

While the MDM system is only managing and securing corporate data on the device, these systems do allow you to track a device via GPS or by triangulating the signal from mobile phone masts to help locate lost and stolen devices.

However, this is a privacy issue, so legal advice on the use of this feature should be sought before it is added to your policy.

Leavers, lost and stolen

If the employee owns the device, what happens should he leave your organisation?

Most MDM systems allow you to remotely remove corporate data from the device, but are you happy with this? You will need to be certain that every trace of your client data is removed, so some firms may wish to wipe the entire device. If this is the case, is your (ex-) employee happy with this?

If an employee loses his phone, he should tell your IT team as soon as possible so that the device can be securely wiped of all data. But, is this a wipe of just corporate data or everything? What happens if he finds the phone a day later completely wiped of all data, including all of the photos from that once-in-a-lifetime family holiday to Australia?

As you can see, there are many points to consider and employees will lose some control in managing their own devices once the corporate policies are applied. Make sure your management team and all employees who want to use their personal devices for work purposes are clear about what they are signing up to.

Longer-term costs

Many people see the benefits of BYOD and consider cost savings to be one of them. But, this is not necessarily the case. If your employees are taking out their own consumer contracts and selecting handsets, there will certainly be an initial cost saving. But, you should not underestimate:

• the cost of purchasing an MDM system;

• the cost of managing and supporting many more disparate devices; and

• the increased cost of data and phone calls that are charged back to the business, as the vast majority of consumer tariffs will be more expensive than the corporate plans many firms currently have.

BYOD can bring many benefits to your firm, but it comes with some challenges that should be carefully considered and planned before rushing in.

 

---

Managing mobile devices

1. Inform – create a mobile device policy and ensure all those who wish to use their device agree and sign it.

2. Due diligence – understand the risks of implementing a BYOD policy and document them. Your technical security and mobile device policy should mitigate against each risk.

3. Protect – ensure you implement a mobile device management system to protect mobile devices and corporate data.

4. Monitor – ensure you proactively monitor and manage connected devices.

---

 

Neil Davison is the head of information technology at UK law firm Farrer & Co (www.farrer.co.uk)