Font Size

Do not Let BYOD Bring Your Own Demise

 By

John Norton - Expert Author

Computer/Internet/Software Articles
Submit Articles   Back to Articles
13 June 2013

Information Technology

The Information Commissioners Office (ICO) recently published two items which highlighted the potential danger to small businesses from the policy of allowing employees to use their own IT devices for work related purposes.

This practice, commonly known as Bring Your Own Device or BYOD has mushroomed in the last 5 years as employees have sought to use their own smartphones, tablets and laptops for work. As well as being almost impossible to stop, employers have rightly concluded that the policy increases employee satisfaction and engagement. As a result BYOD is being embraced by companies and their IT departments.

Risks

However allowing employees to use their own equipment for work creates a number of potential problems for IT managers. These range across software legality, network access, software support and the issue of particular interest to the Information Commissioner; Data Protection and Security. Giving employees access to regulated, and potentially confidential, data on their own devices brings with it a series of risks which could result in small businesses breaking the law, or losing control of data vital to their success.

The survey, commissioned by the ICO with YouGov, shows that nearly half of employees have used at least one of their own personal devices for work purposes. Whilst e-mail is the favourite application involved, 35% access work files and 14% connect to  work related on-line banking services. Yet despite this widespread use only 27% of these people have been provided with guidance on the work related use of the devices, by their employer.

Guidance

The ICO has used the findings of the survey to highlight itís second publication. A report which provides guidance on what companies need to consider in respect of data security and control when they allow personal devices to process personal data for which they are responsible. Whilst the ICO highlights the need to keep things in proportion and not introduce counter productive draconian regulation to govern simple data which will often be publicly available anyway, it does make clear that it is the companyís responsibility to ensure compliance with the Data Protection Act WHEREVER data is held.

In order to comply with their obligations small businesses should firstly ensure that, if they allow BYOD, they have a clear, written Acceptable Use Policy which should make clear what types of personal data may be processed on personal devices. They should also consider their need for a Social Media Policy as BYOD is likely to lead to an increase in such use.

When drafting the policy, companies should address a number of key areas.

Where is the data held

In todayís connected world it is often unclear where data is actually being held. Any piece of data could be:

  • on the device itself,
  • on an internal server,
  • on a public network or cloud server,
  • more than one of the above.

You should also remember that a lot of device based data is now also automatically backed up to cloud based networks.

If your company is subject to increased regulation (such as Financial Services) it is possible that the data in question must not leave the UK which raises an additional raft of issues.

Data transfer

The means of getting the data onto the device and from there to other users or to cloud servers is also important, as whilst much data storage is encrypted, this is often not the case with data transfer, particularly if public access wi-fi networks are used.

What happens after its no longer needed

Once the data is no longer needed it should clearly be deleted, but this is not always as simple as it sounds. Data can easily be retrieved after a simple deletion, so more secure deletion methods should be considered. What happens when the employee leaves or wants to sell the device? Steps must be taken to ensure that data on these devices does not leave the companyís control.

Physical security

With many devices it is now possible to physically track their whereabouts and remotely manage and delete data from them. Whilst this may assist in the process of data control, small businesses need to take care that all these systems are enabled and kept enabled, in order to work effectively, and they must safeguard employees against concerns that their movements are being monitored for other purposes.

Other

There are several other areas to be considered:

  • The proliferation of data into new locations makes it more difficult for that data to be tracked for the purpose of reporting or deletion should the data subject require it, or if a FOI request is made,
  • The easy availability of the data may make it more likely to be used for purposes other than it was intended for, either by the company or by the device owner,
  • Despite all these listed concerns it may be possible to use BYOD as a means to enhance company security by ensuring that high risk data is kept on company networks and can only be accessed using secure equipment, but enabling day to day company business to be carried out on a separate more open network using BYOD.

So whilst Bring Your Own Device can introduce significant benefits in terms of employee engagement and productivity it is an area which creates itís own problems for both IT managers and data controllers, and in case youíre thinking that this is just a load more red tape, you should remember that the data held by your business is one of itís most important assets and ensuring it does not fall into the hands of competitors or criminals should be of primary concern to you.

You can access both the survey and the report on the Information Commissioners website.


About the Author

John Norton, is a senior business and finance professional with a big four, blue chip, software and technology background, and board level leadership experience in finance, IT, operations, customer service and general management.

He is owner of No Worry Web, which creates and manages small business web sites and social media presence, for an all-inclusive monthly fee. For further details see www.noworryweb.co.uk or call 0845 5191 275.

Authors Google+

Follow us @Scopulus_News

Download Business Contract Agreements


Article Published/Sorted/Amended on Scopulus 2013-07-06 11:28:11 in Computer Articles

All Articles