Bring your own device schemes should set alarm bells ringing
by Norman ShawMr. Shaw is founder and owner of ExactTrak, the makers of Security Guardian USB.
The ‘bring your own device’ trend has become an increasingly popular one over the last few years. A survey by ISACA suggests that 54% of employees have a personal device they use for work. Employees enjoy the freedom the BYOD scheme offers, and company balance sheets look healthier for the minimized hardware spend. But the convenience of BYOD is accompanied by significant data security risks, which can prove enormously costly.
Many businesses are allowing the home and office to seep into each other via shared equipment, without ensuring there are adequate security measures in place. So what are the main dangers of mixing work and home, and how can companies best tackle them?
Now where did I leave it…?
Loss and theft of hardware is a major issue. Human error still tops the list of causes behind data loss, and something as simple as forgetting a USB on a train can have serious consequences. Technology may be developing exponentially, but human carelessness can always be depended upon to throw a spanner in the works. Data security experts estimate that over 17,000 USB flash drives or data devices have been left in public location this past year.
If you’re commuting with a USB or laptop which holds sensitive company information, you need to have a plan in place should you lose them. For the sake of your workload, the files need to have been backed up. For the sake of your personal reputation and that of your employer, you need to know that nobody else can access and exploit the data.
It’s here that many businesses fall down. Losing a USB with sensitive data is not too troublesome if you can instantly remotely wipe the data. Instead, many companies rely on encryption, seemingly under the guise that it provides an adequate level of protection in the event of loss. While encryption may prevent an individual from accessing the contents instantly, it’s only a matter of time before it can be cracked. A survey by the Ponemon Institute for Intel revealed that 56% of IT managers admitted to often having their device’s encryption turned off, which immediately makes businesses more susceptible to security breaches.
Here are some helpful tips and best practices for corporate teams to help minimize the risks that are associate with sharing home and office hardware, and offers businesses a certain peace of mind.
Bring your own contract
Many companies have a BYOD policy, yet comparatively few make any amendments to their employees’ employment contract. This opens up a minefield of issues in the event of an incident, with both parties potentially losing out.
Companies ideally should set out clear rules about ownership, so that there can be no dispute in the event of loss or theft of hardware. If a laptop gets stolen, for example, and there is both personal and corporate data saved on it, who is to be held to account? Both employee and employer need to understand who owns the data on a shared work/home device, with clear guidelines on how the hardware is insured, and by whom.
Being able to provide a clear audit trail is crucial for companies, making it prudent to have a clear-cut BYOD policy woven into the employee contract. If information on a stolen device is compromised (and not encrypted, say), then responsibility can be placed on either the business or the employee without ambiguity, with the relevant person held to account where necessary.
Not every cloud has a silver lining
Cloud has been hailed by many companies as ‘The Answer’ to smooth home/office working. In theory, it provides a smooth link between the office desk and home study, but given the recent spate of websites being crippled by cloud ‘down-time’, it would be unwise to consider it infallible.
There are instances when it’s very difficult to rely on cloud, particularly for business owners who work within a ‘customer-facing’ role. Having a copy of local data (on a USB stick, say) is imperative, as few customers (or prospective customers) will happily allow unfettered access to their systems in order to see a slideshow, or specific documents. Carrying local data around can be risky, which is why businesses need to ensure that even in the event of loss, sensitive data won’t be compromised.
With employees increasingly shuttling their hardware between home and office, businesses need to be sharper at ensuring they’re covering the accompanying security risks. Whilst they cannot eradicate human carelessness which leads to loss of equipment, they can ensure that the data which accompanies the devices is protected to the hilt. Unless companies invest in hardware which facilitates this, they leave themselves open to continuous risk of security breaches, which can prove extremely costly. ◊