Business Mobile Communications

September 20, 2013 bassmediagroup No Comments

Don’t Let BYOD Bring Your Own Demise

The Information Commissioners Office (ICO) recently published two items which highlighted the potential danger to small businesses from the policy of allowing employees to use their own IT devices for work related purposes.

Mobile Devices - Bring Your Own Device

This practice, commonly known as Bring Your Own Device or BYOD has mushroomed in the last 5 years as employees have sought to use their own smartphones, tablets and laptops for work. As well as being almost impossible to stop, employers have rightly concluded that the policy increases employee satisfaction and engagement. As a result BYOD is being embraced by companies and their IT departments.

Risks

However allowing employees to use their own equipment for work creates a number of potential problems for IT managers. These range across software legality, network access, software support and the issue of particular interest to the Information Commissioner; Data Protection and Security. Giving employees access to regulated, and potentially confidential, data on their own devices brings with it a series of risks which could result in small businesses breaking the law, or losing control of data vital to their success.

A survey, commissioned by the ICO with YouGov, shows that nearly half of employees have used at least one of their own personal devices for work purposes. Whilst e-mail is the favourite application involved, 35% access work files and 14% connect to work related on-line banking services. Yet despite this widespread use only 27% of these people have been provided with guidance on the work related use of the devices, by their employer.

Guidance

The ICO has used the findings of the survey to highlight it’s second publication. A report which provides guidance on what companies need to consider in respect of data security and control when they allow personal devices to process personal data for which they are responsible. Whilst the ICO highlights the need to keep things in proportion and not introduce counter productive draconian regulation to govern simple data which will often be publicly available anyway, it does make clear that it is the company’s responsibility to ensure compliance with the Data Protection Act WHEREVER data is held.

In order to comply with their obligations small businesses should firstly ensure that, if they allow BYOD, they have a clear, written Acceptable Use Policy which should make clear what types of personal data may be processed on personal devices. They should also consider their need for a Social Media Policy as BYOD is likely to lead to an increase in such use.

When drafting the policy, companies should address a number of key areas.

Where is the data held

In today’s connected world it is often unclear where data is actually being held. Any piece of data could be:

  • on the device itself,
  • on an internal server,
  • on a public network or cloud server,
  • more than one of the above.

You should also remember that a lot of device based data is now also automatically backed up to cloud based networks.

If your company is subject to increased regulation (such as Financial Services) it is possible that the data in question must not leave the UK which raises an additional raft of issues.

Data transfer

The means of getting the data onto the device and from there to other users or to cloud servers is also important, as whilst much data storage is encrypted, this is often not the case with data transfer, particularly if public access wi-fi networks are used.

What happens after its no longer needed

Once the data is no longer needed it should clearly be deleted, but this is not always as simple as it sounds. Data can easily be retrieved after a simple deletion, so more secure deletion methods should be considered. What happens when the employee leaves or wants to sell the device? Steps must be taken to ensure that data on these devices does not leave the company’s control.

Physical security

With many devices it is now possible to physically track their whereabouts and remotely manage and delete data from them. Whilst this may assist in the process of data control, small businesses need to take care that all these systems are enabled and kept enabled, in order to work effectively, and they must safeguard employees against concerns that their movements are being monitored for other purposes.

Other

There are several other areas to be considered:

  • The proliferation of data into new locations makes it more difficult for that data to be tracked for the purpose of reporting or deletion should the data subject require it, or if a FOI request is made,
  • The easy availability of the data may make it more likely to be used for purposes other than it was intended for, either by the company or by the device owner,
  • Despite all these listed concerns it may be possible to use BYOD as a means to enhance company security by ensuring that high risk data is kept on company networks and can only be accessed using secure equipment, but enabling day to day company business to be carried out on a separate more open network using BYOD.

So whilst Bring Your Own Device can introduce significant benefits in terms of employee engagement and productivity it is an area which creates it’s own problems for both IT managers and data controllers, and in case you’re thinking that this is just a load more red tape, you should remember that the data held by your business is one of it’s most important assets and ensuring it does not fall into the hands of competitors or criminals should be of primary concern to you.

You can access the report on the Information Commissioners website.

Photo Credit: Personeelsnet via PhotopinCC

This article is the copyright of No Worry Web and originally appeared on their blog in June 2013.

Contact Us

For advice or a free quotation, please call:

033 3320 804

Or please drop us a quick message.

Please be assured your information will not be shared with any party outside of YCC. Read More.

* Denotes a mandatory field