Monthly Archives: February 2012

Bring Your Own Device to work, let’s think about that one…

Should it work for you but more importantly can it work for you?

Dave Wharton, Senior Security Consultant, Advent IM

With the proliferation of Smartphones and Tablets there is a growing trend that allows or turns a blind eye to the use of personal devices for work purposes but is it safe and can a company really justify it in the event something goes wrong?  

In an era where flexibility and mobility is the key, there seems to be a growing acceptance by companies (or is it a sense of inevitability) that staff should be allowed to use their own devices to do their work on – BYOD.  Whether this is using a PC at home or using their Smartphones, Tablets and Laptops on the move, there is no question staff are doing it either with or without the blessing of their company.  A recent BBC article on BYOD quoted a survey by Avanade (a business technology company) in which it was found that 88% of executives said employees used their own devices for business purposes (http://www.bbc.co.uk/news/business-17017570).  Another survey found that while 48% of employers would never allow BYOD, 57% agreed that some staff used personal devices without consent.  

So what, might you ask? 

 My PC at work is slow and takes an age to open an email and if I try to do two things at once it just freezes or my boss needs this by tomorrow and I’ll be damned if I’m staying behind again tonight. 

When faced with such challenges is it any wonder that staff want to take advantage of their state of the art device that provides functionality and performance a company ICT manager can only dream of.  The appeal to companies is there also, productivity improves and staff are content but at what price?  Companies that allow BYOD should be under no illusion that it does not come without risk.  By allowing staff to use their own devices, companies are in effect relinquishing control of how their information (sensitive or otherwise) is imported and exported from their business networks and are also allowing the connection of untrusted devices.  Thereby, increasing the risk of malware attacks, data compromise and perhaps more worryingly exposing the business to reputational harm or costly fines in the event of a data protection breach.  Is there any managing director or senior partner who would welcome the scrutiny of the Information Commissioners Officer?

So what is the answer?  The straight forward answer is not to allow it and I am not going to advocate the use of BYOD here.  There are number of reasons why you shouldn’t and perhaps only one reason why you should.  While employee satisfaction is clearly important the main advantage to employers comes down to cost.  By allowing BYOD there are potential savings in ICT infrastructure, as in effect you are passing (somewhat unfairly) the burden of upgrades to your staff.  You could even offer staff an annual bonus for using their own devices and to share the cost of upgrading and still save money.  A very convincing argument in favour of BYOD was also presented on ZDNet (http://www.zdnet.com/blog/virtualization/byod-the-inevitable-reality/3953) although I would disagree (obviously) with the views on security and argue that this is where governance comes in (see below).    

However, as I said earlier if you do so you relinquish control which in my view will always be too high a price.  Now some will argue that as soon as you provide staff with a Smartphone or Laptop you lose control of these devices the second they walk off the premises so why worry about using BYOD.  However, I would contend that this is where governance comes in.  Issuing staff with company owned devices means you determine (among others): 

  • What devices are permitted;
  • The operating system and how it is kept secure with the latest security updates and patches;
  • The strength and quality of passwords used;
  • What anti-malware software is used and perhaps more importantly how it is updated:
  • How data is stored and protected on the device;
  • How and where the device connects to the internet;
  • What removable media (eg. USB memory sticks, CDs, etc) is permitted.

And with governance and compliance checking you can ensure that the above points are always maintained and that the device is used in accordance with your companies acceptable use policies.  Can you honestly say your staff will be as vigilant in protecting their own devices, have a look at this regarding passwords on mobile phones (http://www.scmagazineuk.com/consumers-failing-to-take-mobile-security-seriously-says-sophos/article/209294/).  You may also want to consider that your staff will also probably let their friends and family use their devices but will be less inclined to do so with a company owned device.    

To support my view I have a challenge for you.  Take a look at the advice for an effective cyber defence provided by the UK Government’s Centre for the Protection of Critical National Infrastructure (http://www.cpni.gov.uk/advice/infosec/Critical-controls) and see how allowing BYOD compares against the advice provided.  You might also want to see how your organisation’s ICT infrastructure meets the listed controls while you’re on, particularly if you are holding large volumes of customer personal data.     

So should/can BYOD work for you?  My answer is no on both counts.  My advice is organisations that want to protect their own information and that of their clients should even consider implementing an information security management system.  Such as that provided by the International Standards Organisation 27001 standard, which provides a structured series of controls a part of which will assist organisations in implementing a business-supporting and secure ICT programme.    

However and despite my claim I wouldn’t advocate the use of BYOD, if you find yourself in a position where you have no choice.  There are some steps you can take to reduce the risk (if only slightly) of BYOD: 

  1. Identify what types of devices will be permitted and which won’t;
  2. Authorise permitted devices and block all others;
  3. Segregate particularly sensitive company/client data on the network and consider what access will be permitted from remote devices;
  4. Insist on specific encryption standards for data storage and using WiFi;
  5. Insist that anti-malware is installed, kept up to date and the device is regularly scanned;
  6. Insist that a remote emergency wiping capability is added to the device for if the device is lost/stolen;
  7. Keep up to date with the latest threats and vulnerabilities and have a policy in place for responding accordingly;
  8. Develop, educate and enforce BYOD policies that cover Steps 1 to 7 and:
    •  Immediate actions if the device is lost or stolen
    • The impact on a staff member’s expectation to privacy when connecting their device to the company network;
    • How the device can connect to company networks;
    • Acceptable use for email and the internet;
    • The wiping of data when a staff member upgrades/replaces their device;
    • The wiping of data when a staff member leaves the company.

Consider compliance checking on devices to ensure the above is occurring;

Consider what support options the company might offer for the devices.

Dave Wharton, Senior Security Consultant, Advent IM

Advertisements

FOI and the Great British Public

A Guardian article yesterday said that Civil Servants feel that The Freedom of Information Act (FOI) has not improved Government.

You can read it here if you missed it.

You’ve got to have a system.

I agree with the bulk of this article. I am not totally convinced that “Joe or Joanne Bloggs” were ever really sure what FOI is meant for.

Of course, there have been some crackpot, waste of time requests. That was always going to happen. But to quote our Commerical Director, “Freedom of Information – nice idea, but it’s not being used to any great effect by the public. This seems to driven by an apparent apathy. ” She goes on to say, “The country gives the appearance sometimes of being politically disinterested – just look at the turn out for local elections. The key question is, if it’s purpose was to engage the public was it just poorly promoted or is the Great British Public just indifferent and apathetic?”

Good question. It seems to me that the more local it gets, the interested people get, as Local Government appears to receive more FOI requests (shame they aren’t quite so keen on turning out for elections but there we are). This may indicate a disconnect with Central Government and lack of interest or that people generally want more information about the ‘in my backyard’ type of question.

So what do people think of FOI? There seems to be confusion between FOI and Data Protection Act – again think about how these have been presented to the public and it may not be so surprising. Few people realise that organisations have an obligation to maintain a publication scheme and few public organsations proactively market their publication schemes.

FOI seems to come into its own for journalists looking for information – sometimes justified, sometimes salacious, for their stories. This is in danger of bringing the whole scheme into disrepute and that would be a shame.

I spoke to Mike Gillespie, our MD about this yesterday and he said, “Yes, however don’t lose sight that this report discussed in the article, was written by civil servants, and civil servants have to process FOI requests…” So imagine that now it is beginning to be viewed and discussed as a “costly burden” means there may be changes ahead.