Let's talk about "Bring Your Own Device"(BYOD) again. We all know how often people have devices which are more capable than what their current organizations/employers offer. Rightly so, to keep all devices and all systems updated across the enterprise it is still a huge, and expensive, task. BYOD has a security framework that allows the regular folks to being their own laptops or mobiles to use at work.
The issue starts when company data is exposed in a risky way. Would your manager be OK with you having an spreadsheet with people's contacts details, addresses and sometimes financial values? hint: the answer should be NO; otherwise you guys needs to have the "data protection talk" :)
The key here to make sure the risks do not outweight the benefits of BYOD is to make sure reasonable steps were taken to mitigate data leakage and exposure to the wild web.
And that brings us to the point I wanted to discuss. Canada is one of the first nations to move in this direction with a comprehensive set of guidelines for mitigation polices. More precisely, the Office of the Privacy Commissioner of Canada released a guide (Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization?) highlighting several key privacy and security risks that you and your organization should take into consideration for a BYOD program.
This is a Canadian perspective but some of the points are excellent for your own discussions. It is a long document but if we can summarize the main points they recommend are...
Perform an Impact and Threat Risk Assessment
Privacy Impact Assessment (PIA) and a Threat Risk Assessment (TRA) needs to be done to identify and address risks associated with the acquisition, handling, storage and period retention of personal identifiable information (PII). If you've been to any of my presentations, you see how much focus and stress I put on the demos with personal data. They are extremely valuable and can do real damage to everyone involved, people and companies.
Create specific BYOD policies
Dedicated BYOD policies needs to be developed, consolidates and established for all devices covered in the program. Training here is essential. All users part of the BYOD program must have a clear set of expectations about what they can and can't do with their devices, including training on privacy protection and defensive data handling (to mitigate security threats). The guide recommends for CTO offices engage directly with other departments. The objective here is to develop enforceable, easy-to-communicate BYOD policies. There is no point in having a hard to follow/hard to understand framework across the board. In short they should address at a minimum: user responsibilities, acceptable uses of BYOD devices, application management and access requests.
Containerization means group and isolate corporate data that might be living offline in an employee's device. The goal here is to create a division between personal data (for example, family pictures in your mobile) and company data (for example, sales forecast documents, resumes etc).
Let's face it, doesn't matter how much effort and controls we put around a technology, at some point the data will likely be compromised. The question here is: What to do when this happens? Technology is a living thing. In 5 years from now, the technology landscape will be totally different from when we have today. So, when a a privacy or security breach happens, an mature and well-thought out incident management process needs to be in place. The goals here are to identify the root cause, report, analyse and correct the breach in a timely fashion...and then use the learnt lessons for the future.
As part of the incident management, the guide recommends that companies should create an inventory of the connected devices. The goal here is to take appropriate steps during an incident response. Users must understand that personal devices which are not adequately secured might expose company information to malicious elements and this often leads to financial loss (for losing competitive advantage, reputation damage etc).
All these are great points and at first they seems very obvious. Tricky part here is that the obvious is hard to implement.
BYOD Program Seems Too Complex for Our Company
If you are reading this and think that your organization can't have a BYOD program because these guidelines might be too hard to implement, don't worry there are still steps you can do to make sure you meet them halfway. More and more the workforce is digital and users are demanding these programs. My 2 cents here is that the organization should aim to have a secure enough environment where the benefits of a smaller BYOD program can be leveraged. The main thing in any security program is still the same: User education. We are becoming so technologically connected, with machines so auto-sufficient yet the main component always was, still is (still will be?) people.
If you found this interesting, let me know what you think in the comments.