+44 (0)20 7797 8600

MENU

 

BRING YOUR OWN DEVICE – MANAGING THE RISKS

Antony Sendall

On 6 October 2014, the Government published new guidance on BYOD (‘Bring Your Own Device’) which highlights the fact that allowing employees to use their own technology at work is not just a technical issue that needs to be grappled with by IT departments, but has wide-ranging implications for employers. Click here for the guidance.

Organisations are increasingly allowing their employees to connect to corporate network using their own devices, especially smartphones, laptops and home PCs. Recently published statistics from the US reveal that 90% of employees who have a smartphone make some business use of it, yet only just over half of them password protect their devices, more than half regularly log in to unprotected wifi networks and more than half do not disable the Bluetooth discoverability of their devices.

There are great advantages in allowing staff to use their own devices, especially with an increasingly mobile workforce and the expectation that they will be 24/7 connected. It can boost productivity and bring many other benefits. However, it also brings many potential risks, both during and after employment.

The risks include, but are not limited to:

  • Loss of control over confidential or sensitive data, both in terms of storage and dissemination.
  • Data Protection obligations may be compromised from inadequately protected devices that are lost or stolen while containing ‘personal data’ in respect of which the employer has responsibilities;
  • Inadequate controls over unauthorised programs including apps, file sharing through the cloud or web-based systems such as Dropbox, instant messaging and security issues posed by viruses and malware;
  • The complexity of seeking to control what employees are allowed or not allowed to do with their own devices in their own time. 

Organisations that operate a BYOD policy need to have a comprehensive written protocol and policy that sets the standards, procedures and restrictions that will apply. However, the need for comprehensiveness also needs to be tempered by the competing demands of conciseness and simplicity. To be effective, it is not enough to just to have a policy. It will only provide a basis for taking disciplinary action for breach if it is not backed up with appropriate training for staff. Perhaps the biggest danger is posed by the very fragility of the confidential information itself. Once released into the public domain, whether by accident or design, it is usually impossible to retrieve it. Adequate training is essential to minimise the risk of accidental loss of data/information.

Apart from disciplinary issues that may arise from failing to comply with a BYOD policy, there is a very obvious concern over the protection of information and data from misuse by a departing employee who may have very large quantities of information and data available to him/her stored on or accessible from their own devices. Businesses whose very existence may depend upon the contents of its contacts and sales databases need to ensure that when an employee leaves the material is returned and future access is denied.

Organisations need a good grasp of what information is available to staff, how and where it is stored, how it can be retrieved from a departing employee and how future access can be denied. The speed with which information can be disseminated to competitors or placed in the public domain means that it is vital for organisations to be prepared to act quickly and effectively to obtain appropriate injunctive relief. This may include not just negative obligations (such as an order not to use or disclose information), but also positive orders for delivery up of information or equipment, the provision of passwords and access details, permitting access to devices and for operations such as copying and deleting to take place.

Who should be covered by an organisation’s BYOD policy?

All staff (including part-time and casual) who may have cause to use their own devices to access business networks, databases or information. However, provision should also be considered in respect of external consultants or contractors.

Who has access to what ?

A critical aspect of any effective BYOD policy will be controlling who has access to what information. All staff should be required to sign up to a security policy that makes effective provision in respect of their access to and use of information and data on personal devices. Ideally, access should be granted only on a ‘need to know’ basis. 

Who has responsibility for the BYOD policy ?

Many organisations place the responsibility for BYOD policies with their IT department. While the IT department will need to be involved in the structure and content of the policy, as well as policing its effectiveness and compliance, it is equally important that the organisation has a good grasp of the business implications and risks associated with potential breaches of the policy in order to ensure that its scope meets the business needs of the organisation.

Education and training

Everyone affected by the policy not only needs to be aware of its existence and provisions, but also needs to understand its purpose and the risks entailed by breach. Adherence to its provisions can give rise to an extensive training and education requirement in order to instil a culture where compliance becomes instinctive.

Any training also needs to cover what is acceptable use.

Reviewing the policy

Frequent review of any BYOD policy is of paramount importance. Technological change is extremely rapid and the policy must keep pace.

Secure sign-up

It is also imperative that rigorous procedures are in place to ensure that any BYOD device is compliant with all relevant protocols and policies before any network access is granted. Employees may also need to undertake to allow access to their devices to allow for updates to be installed and/or to agree to keep certain protection programs secure and updated themselves. Consideration should also be given to provision for remote wiping of devices or of data from devices in the event that they are lost or stolen.

Departing Employees

It is essential to ensure that any BYOD policy provides for access to personal devices to ensure that all information belonging to the organisation is removed prior to departure.

Where possible, the policy should provide for an ‘exit wipe’.

Network access should be revoked immediately upon departure.

Key action points for employers

Ensure that your organisation has an effective BYOD policy which is: 

  • Comprehensive
  • Up to date and reviewed frequently
  • Well understood by staff both as to content and purpose
  • Rigorously applied
  • Capable of being enforced quickly and effectively

 

Posted: 13.11.2014 at 09:49
Tags:  Comments  Employment Law
Share this page
Print page

Cookies help us deliver our services. By continuing to browse this website, you agree to our use of cookies. OK