5 minute read

Bring your own device (BYOD) refers to the policy of permitting employees to bring personally owned devices, like your mobile phone to their workplace and using those devices to access and use company information, such as email.

Employees have been bringing their devices to work for quite some time, but by around 2012, it had become clear that every organisation needed a policy that would outline whether you could bring your own device or indeed not. However, these days, it’s less likely and even considered counterproductive to have such as prohibitive policy which means having a more comprehensive policy that incorporates the realities of modern technology and usage.

Bring your own device

Generally, if you know your username and password, you can login to your email account from anywhere, from any device, anyway, without such a policy in place. You can use any email client which have an array of (secure) protocols, or you can go through the browser, such as gmail.com or outlook.com and login from there. I think this is a good thing.

I’ve seen people introduce Microsoft products in favour of Google products because they didn’t like cloud technologies. However, the reality is that we live in a time where everyone offers a “cloud” solution, including Microsoft and there’s really no getting away from that.

I think that anything we attempt to do to restrict use of “cloud” technologies in an effort to be more secure puts us in a position that many governments find themselves in, restricted. Restrictions and draconian policies that come with Mobile Device Management (MDM) products such as “Good for Enterprise” tend to slow us down.

I actually think issuing mobile phones for key members of staff would be a good idea, if that’s the level of involvement or support that we expect, however I’m not really sure all work warrants it. I think having an SLA with the users should really help to shape the expectation and should offer a value of how important being available is in the event of an issue.

If you’ve not heard of “Good for Enterprise”, it comes from a time with Blackberries were king and the cloud was less so. I think this is apparent in as much that this product doesn’t exist by this name anymore. Things have clearly moved on.

Before introducing something like this, my question would be, what are the concerns? What does Good for Enterprise or BlackBerry Work give you that Outlook does not? Everything comes with the same level of security these days. Do these products give you what you need?

I remember reading once “always treat email as if it’s going to be read publicly” and that’s how we should treat it. I think that’s true in both message and in security. If FCA compliance is the concern, then we really shouldn’t ever be sending sensitive data over email anyway.

If it’s external attacks, then I think we’re way off target. We live in a world where organisations are going to get breached, it’s a question of when, not if – it’s how we deal with that after it’s happened that’s important.

These days, it’s not external threats that we should be worried about it’s our own employees. Even with the raise of AI technologies such as Darktrace which uses machine learning and AI algorithms to build a so-called “pattern of life” for every network, device, and user within an organisation, things aren’t black and white. According to behavioural scientist Deanna Caputo, most employees engage in workplace activities deemed as “suspicious” – even if it’s by accident.

Debi Ashenden, A cybersecurity professor says: “The only way to get to the truth is to have open conversations. A security professional once told me that when you have a relationship of trust with your staff, they ‘fess up to things they’d never otherwise tell you’”.

If you already have a BYOD policy, then that’s what we should stick to. My view has always been that HR problems shouldn’t be solved with IT.

It could be argued that it’s about risk of people not locking their phones or laptops or losing thumb drives.

Peter Tippet, Chief Technology Officer of Cybertrust, warns against addressing every single “wouldn’t-it-be-horrible-if” scenario without considering it’s likelihood. How likely is it that the result of people not locking their phones lead to confidential data being leaked? What is the potential annual loss expected if this was to happen?

What kind of sensitive or confidential information are we transmitting via email that would pose such a large business risk? If you’re sending passwords, customer data or trade secrets over email then that’s a problem you need to solve. Email is not a suitable transit protocol for confidential and sensitive information without a sophisticated encryption layer such as GPG.

So what can we do technically to reduce the risk? Use encryption software.

This is not without challenges. It’s reported that former CIA employee, Edward Snowden made a video to help the journalists understand how to use GPG encryption. Despite this, Greenwald, a former lawyer and a columnist for The Guardian who Snowden was in contact with described the encryption software as “really annoying and complicated” and ignored Snowden’s advice.

Fortunately, popular email software like Outlook comes with message encryption built in, however it does not solve the problem of people leaving their phones unlocked. That requires education.

If you can’t trust people to take steps to keep their own devices secure, then you shouldn’t let people access email on their device. The policy would then need to disallow access from outside of our network instead opting for VPN connectivity for security and auditing. You should not have a bring your own device policy and issue devices to key staff members with MDM software preinstalled.

Alternatively, you could employ a “trust but verify” policy by introducing a self-audit checklist that will help to educate and verify that people understand the risks and have taken the right measures to secure their devices. Then only permit access once they have completed the checklist. This procedure should be sufficient to demonstrate that you are taking responsibility to reduce risk.

Having a “trust but verify” process and procedure is the type of security control that is encouraged to satisfy ISO 27001 and FCA compliance requirements. All staff should have an understanding of data security measures and could be audited on an individual basis at any time.

Sure it could be argued that prevention is better than cure, and that in an optimist’s world you wouldn’t need lifeboats, burglar alarms or firewalls, but that’s not the world we live in, sadly bad things do happen.

Balancing the risk to the business vs impacting staff is a challenging but necessary issue that needs to be addressed. Given the choice, do you buy more lifeboats or train your crew to avoid crashing? I know which I would prefer.