It wasn’t that long ago that even trying to connect your own device to a company network would have been pretty close to a sackable offence. Likewise taking a company laptop and connecting it to some random Wi-Fi network would also have got you in big trouble with the IT department.
But the unstoppable advance of the mobile phone and tablet means IT security staff have had to calm down.
These days security staff don’t get to say no but have to find ways to accommodate the desires and devices of all their staff.
Pressure for the change often came from the top – a director who wanted to get company email on his iPhone or iPad is the classic example.
Saying ‘No’ to directors can be a bad idea.
If you run things right this can make your company more, not less secure – as long as you establish a proper strategy, business processes and where necessary staff training to make it happen safely and securely.
It can also be a chance to get security, and with it the IT department, seen as a strategic advantage for the business not just an annoyance, encumbrance and expense.
The pluses of bring your own device
Let’s start with the advantages:
There is an argument that people will take more care of ‘their’ equipment – so letting them use their own kit might lower costs for replacing damaged or lost devices.
People also tend to know how their own devices work, and be more receptive to learning more about how they work. So training will change – getting people to show each other how devices work can cut training budgets and reduce calls to help desks.
Staff are also more likely to notice if their device starts acting oddly – malware which takes control of a phones data connection will kill its battery more quickly for instance. You’re more likely to notice this if it is a phone or tablet you’ve been using for months than if it is something you’ve just been handed. And of course you’re not forking out big money for the device in the first place.
If your staff have a variety of devices then any attacker will need various types of malware to attack them, and you. As mobile malware becomes more common this will be a business advantage – in the event of a big attack, not all your staff will be incommunicado.
All of the above should confer a cost advantage on the company – in terms of hardware expenditure, training and reduced downtime.
The other plus is of course increased productivity for staff able to work on their commute and when away from the office.
The drawbacks of letting staff use their own hardware
But of course BYOD is not a solution to all the world’s problems.
Dealing with multiple operating systems doesn’t make life any easier but there are a variety of mobile management systems to remove most of the headaches.
Such systems will also help with mobile application management which remains the most pressing security problem with any mobile device.
Even Apple, long seen as the safe haven for mobile apps, has had to remove hundreds of apps which were quietly gathering customer data.
Staff need to understand the responsibilities that come with dealing with company data and how this is increased by mobile devices.
You need to talk about encryption, about password protection not just of the whole device but also of applications within it. The company needs proper policies and staff need to know what they are.
This means all staff – the Information Commissioner took action against airline Flybe recently because of action taken by a temporary member of staff.
The ICO said background checks were needed for anyone with access to such information along with specific training on data protection.
This takes us to the heart of mobile security – it is just the same as traditional desktop security.
You still need virus protection. You still need to be aware of what’s coming and going on your network.
Different people and different processes within a business require different levels of trust – this is known as the ‘transactional trust model’.
The classic example is the library – almost anyone is allowed in to browse through the books. But if you want to borrow a book you’ll need to show a library card and prove your identity. If you want to look at rare manuscripts or a special collection you’ll need a library card and probably some further authorisation as well.
Follow a similar model for your organisation’s security and you should be able to let people to use their mobile devices for some, if not all, their business functions.
You should be able to give visitors basic internet access via a guest pass which doesn’t give them access to any company information.
By setting different profiles for different members of staff you can keep data safe as well as following the relevant legislation.
You can decide who can read data, who can download it and who can edit it.
The final part of the puzzle is working out what to do when it all goes wrong.
Firstly you need some sort of ‘kill switch’ for devices which are lost or stolen. This is not a replacement for encryption. Recent ICO rulings mean encryption is no longer an optional extra. Companies have been fined for losing password-protected devices which were not encrypted.
But you also need to ensure you have a way to quickly locate and if necessary delete or reset devices which are left in taxis or otherwise misplaced.
Secondly what happens when a member of staff leaves the company, taking their mobile phone or tablet with them?
How are you going to ensure they don’t take your customer database with them? Not everyone leaves on good terms – so you need a way to stop them doing any damage on the way out.
Get that these basics right and you should be able to give staff a chance to work more flexibly but just as securely as they do at their desks.