Horsemeat and BYOD
Two years ago I was predicting that Bring Your Own Device (BYOD) would become common place in work environments. Most of us don’t think twice about using our own car for business journeys and your personal smartphone, tablet or home PC is just a tool to do a job.
I know there is a difference of course – accessing corporate information and systems means that your device becomes a key to the corporate vaults. But that doesn’t mean that it shouldn’t and cannot be done with due care and attention.
In two years, over 80% of businesses now have some form of BYOD to support mobile working. In fact, many employees now use multiple devices: having a phone, a tablet and a home PC is increasingly typical, all able to access work as well as personal data. The trend is unstoppable because it benefits both the employer and the employee. The employee gets flexibility, choice of device, work/life balance and convenience. The employer gets increasing productivity at relatively little cost. Try and stop BYOD and you disenfranchise and disenchant employees, as well as risking potential competiveness.
At the heart of the debate is not flexible working, work/life balance, or nature of device supported. It is about freedom versus security, and as in all freedoms the right balance between these two needs to be found. That will depend on business circumstances. Alarmingly, of the organisations reporting BYOD adoption, a significant number apparently do not yet have the technical security controls or policies in place to ensure corporate data is well protected. In the public sector the PSN Code of Connection is enforcing such discipline.
It is true that a relatively small proportion of security breaches are due to portable media bypassing corporate defences (a BWC survey in 2013 indicated 4% were security breaches due to portable devices), but the risk and the number of incidents are increasing, with nearly 10% of larger organisations suffering a security and data breach in the last 12 months involving smartphones and tablets. Wherever you look, data security risks are growing as the volume of data only available electronically grows.
This is a serious challenge for CIOs. Vulnerabilities need to be carefully analysed (based on an assessment of impact x likelihood) and risks mitigated through a combination of technology protection, appropriate business practices and good personal habits. For example, apps on mobile devices can actually help to reduce data security breaches, but only if they are deployed in a managed and structured way, with the user following common sense and good practice.
There is an analogy of the food industry such as the recent horsemeat scare. We have technologies such as fridges and chemicals to help minimise food contamination, and complex processes to manage the food chain. But process is more important – sourcing food from recognised suppliers, keeping raw and cooked food separately, keeping check of use by dates. And above all, the biggest risk is people – washing hands, following the process and not taking short cuts, are all critical in food hygiene.
Bring Your Own Device and the corporate risks of security breaches are no different. The technology should be in place to provide protection, the procedures and practices are more important still and above all it is personal responsibility and behaviours that will do most to protect the organisation.