Way back in 2013, the government issued a security approval for public sector organisations to offer Bring Your Own Device (BYOD) schemes that would enable employees to access company data via their own mobile devices – be it from the office or at home.
Fast forward 4 years and plenty more funding cuts later, this scheme has slowly picked up across public sector organisations as they look to do more for less. But research from Annodata shows that only 22% of public sector organisations that have a BYOD scheme in place, actually have a defined policy – another 43% have no idea if they even have a BYOD policy at all.
This is worrying stuff as public sector organisations are required to adhere to strict guidelines and regulations in order to keep sensitive data secure and the rules will only become more stringent when the General Data Protection Regulation (GDPR) comes into effect next year.
Many public sector organisations are hesitant when it comes to the adoption of BYOD. This could possibly be down to the security concerns around BYOD, such as not having the right network structure in place to support a BYOD scheme or how to overcome the lack of encryption on some personal devices, both of which make organisations susceptible to cyber-attacks. Whilst this is totally understandable, with an accurate understanding of BYOD, how it works and ensuring it’s regulated within the workplace, you can minimise this risk to a very low level. More public sector organisations should be considering BYOD schemes as with the correct deployment and management, the pros can outweigh the cons.
What is BYOD?
BYOD refers to the policy of allowing employees to, well, bring their own device. Instead of issuing employees with a company laptop or smartphone, organisations are allowing staff to use their own devices to access the company networks, systems, software or information and stay connected beyond the workplace. In recent times, the concept of BYOD has been proven to bring several key benefits to organisations who adopt this approach, including increased productivity and cuts to IT and operating costs.
Aside from the cost effectiveness and benefit of not having to invest heavily in new devices, employees will be familiar with their own devices. For example – one may be comfortable operating Apple technology whilst someone else may be more of a Windows fan. BYOD gives employees the comfort of operating a hardware platform that they’re already familiar with and takes the irritation away of trying to adapt to new systems and technology. As such, the concept of BYOD helps drives efficiencies – saving time as well as money in the long run.
But of course, as with everything, it has its downfalls – mainly security concerns. With the number of security breaches and attacks rising year on year, organisations are starting to invest heavily in security measures to ensure there’s minimal chance of a virus infiltration or a disastrous data leak. But whilst some organisations are taking the necessary precautions, others are slow to catch on. Back in 2014, the ICO issued a firm warning that any organisations operating outdated software such as Windows XP would face fines, yet this year it was revealed that over half of businesses still rely on the 15-year-old operating system – which has been unsupported by Microsoft since 2014.
It’s the failure to take the steps needed to protect data that leaves businesses vulnerable to a whole host of cyber threats and with sensitive information available at the touch of a button, who else could gain access to company information on an employee’s smartphone or laptop? Disadvantages such as this are commonplace when exploring the possibility of BYOD, but precautions can be taken to minimise these risks when adopting a BYOD strategy. So where do you start?
Security with an established policy
When not fully understood and regulated, security is the main risk that BYOD presents for the public sector, but there are steps that can be taken to reduce the potential threats and dangers.
Despite what many believe to be true, security challenges that result in data leaks aren’t always cybercriminals unleashing malware on to your network masked as a link within an eye-catching e-mail. Sometimes the threat can come from within, mistakes can be made by the human error of visiting a website that you think is secure, but in fact has all sorts of harmful viruses lurking on it, or the nightmare of a tablet being stolen containing company data more valuable than the device itself. These things happen, it’s how you protect the organisation against it that’s the important part and failure to take action can result in huge fines. Earlier this year, the ICO fined TalkTalk £100,000 after it failed to look after its customers data and risked it falling into the hands of fraudsters. In their investigation, they concluded this was down to lack of security measures which meant staff were allowed access to large quantities of customer data.
So, how do organisations protect data with a BYOD strategy? A great place to start is the creation of a strong policy. It’s important to set out a clear BYOD strategy before any employee uses their own device to access your organisations data or network – be it internally or outside of the office.
When developing your policy, there’s several elements that are useful to include:
Which devices are allowed? Which aren’t? Technology moves at such a speed, and there isn’t one single platform that individuals use for work anymore. With so much choice out there – be clear on which devices you mean. List the devices you’re willing and able to support. Approved apps that promote productivity should also be added alongside this so any applications not on the list will automatically be prevented from downloading should an employee attempt to install anything that’s not in line with the policy.
This doesn’t just apply to vulnerable apps either, all too often people get carried away with the latest gaming app (Candy Crush, anyone?) or keeping up to date on Facebook. Set out clear expectations within your organisations policy on ‘Acceptable Use’, which apps are permitted to use during working hours and which ones aren’t.
Establish strict security measures for all devices
Having passwords on personal devices can sometimes seem like a bit of an inconvenience when trying to access content and features, some users may even disable a password altogether to save time. But within the public sector setting, there’s just too much sensitive information at risk for you to not have a strong password policy.
Your policy needs to make it clear that staff who want to use their devices with your systems must accept a complex password attached to their devices at all times. Rules should be set on passwords so they’re not hacked too easily – one upper case, lower case, 6 letters long, rotated every 90 days and so on.
Mobile Device Management
The introduction of BYOD in the workplace means a whole host of personal devices need to be managed through a platform which enables the solid protection of company data and network. A mobile device management (MDM) system is critical to have when protecting your documents and managing threats to your network. Cisco Meraki offer an excellent MDM solution that protects against viruses and enables the ability for administrators to remotely lock and wipe data off devices that are lost or stolen.
Your employee exit strategy
For those employees who choose to leave the organisation, remembering to remove their access to e-mails and data etc. is vital. It’s not as easy as just having the employee hand over the company laptop and that’s that – access to all of the organisations documents needs to be disabled too. This should be mandatory as part of the employee exit process so they don’t end up taking away any personal files when they leave the company. Luckily, with an MDM system in place, wiping data and removing access from departing staff can be a pretty straight forward process.
BYOD and GDPR
The General Data Protection Regulation (GDPR) comes into effect in less than a year and any organisation that holds and processes the data of an employee – regardless of where the company is based, will have to comply with the new legislation. Even after Brexit, the UK is likely to maintain its own version of the GDPR.
Failure to comply could result in hefty fines from the UK Information Commissioner’s Office (ICO) of up to 4% of a company’s annual turnover or €20 million Euros, whichever is greater. That’s a hefty sum of money for non-compliance!
It can seem like a huge risk introducing BYOD into the workplace, particularly in healthcare, finance and the rest of the public sector with the kind of information these organisations process daily on employees and customers. Throwing in GDPR as well can seem very daunting, but with the right measures in place and more emphasis on security, risks can be minimised.
Establishing a strong BYOD policy is an excellent place to start and of course, a reliable MDM tool is vital to protect data as we touched on earlier. But employees actually have to be on board with the policy in order for it to be effective. The continued education on cyber security best practices as well as GDPR is also essential. Individuals need to be made aware of the harsh fines that will follow if there’s a data breach when GDPR comes into effect.
All it takes is for one misinformed employee to undo all the hard work and effort that’s been put in to protect your network. Regular training of employees around your BYOD policy updates, GDPR and the latest phishing scams are key to limiting the risks of a data breach.
Ensure that it’s also clear on who has access to what data too, and what information can be shared on personal devices.
With a well-managed and understood BYOD policy in place that all employees are on board with, there’s some major benefits that come with deploying a BYOD scheme – just make sure you assess BYOD in more detail to determine if embracing a strategy like this will add value to the organisation and your employees.