On 6 October 2014, the Government published new guidance on
BYOD (‘Bring Your Own Device’) which highlights the fact that allowing
employees to use their own technology at work is not just a technical issue
that needs to be grappled with by IT departments, but has wide-ranging
implications for employers. Click here for the guidance.
Organisations are increasingly allowing their employees to
connect to corporate network using their own devices, especially smartphones,
laptops and home PCs. Recently published statistics from the US reveal that 90%
of employees who have a smartphone make some business use of it, yet only just
over half of them password protect their devices, more than half regularly log
in to unprotected wifi networks and more than half do not disable the Bluetooth
discoverability of their devices.
There are great advantages in allowing staff to use their own
devices, especially with an increasingly mobile workforce and the expectation
that they will be 24/7 connected. It can boost productivity and bring many
other benefits. However, it also brings many potential risks, both during and
after employment.
The risks include, but are not limited to:
Organisations that operate a BYOD policy need to have a
comprehensive written protocol and policy that sets the standards, procedures
and restrictions that will apply. However, the need for comprehensiveness also needs
to be tempered by the competing demands of conciseness and simplicity. To be effective,
it is not enough to just to have a policy. It will only provide a basis for
taking disciplinary action for breach if it is not backed up with appropriate
training for staff. Perhaps the biggest danger is posed by the very fragility
of the confidential information itself. Once released into the public domain,
whether by accident or design, it is usually impossible to retrieve it.
Adequate training is essential to minimise the risk of accidental loss of
data/information.
Apart from disciplinary issues that may arise from failing to
comply with a BYOD policy, there is a very obvious concern over the protection
of information and data from misuse by a departing employee who may have very
large quantities of information and data available to him/her stored on or
accessible from their own devices. Businesses whose very existence may depend
upon the contents of its contacts and sales databases need to ensure that when
an employee leaves the material is returned and future access is denied.
Organisations need a good grasp of what information is
available to staff, how and where it is stored, how it can be retrieved from a
departing employee and how future access can be denied. The speed with which
information can be disseminated to competitors or placed in the public domain
means that it is vital for organisations to be prepared to act quickly and
effectively to obtain appropriate injunctive relief. This may include not just
negative obligations (such as an order not to use or disclose information), but
also positive orders for delivery up of information or equipment, the provision
of passwords and access details, permitting access to devices and for
operations such as copying and deleting to take place.
Who should be covered by an organisation’s BYOD policy?
All staff (including part-time and casual) who may have cause
to use their own devices to access business networks, databases or information.
However, provision should also be considered in respect of external consultants
or contractors.
Who has access to what
?
A critical aspect of any effective BYOD policy will be
controlling who has access to what information. All staff should be required to
sign up to a security policy that makes effective provision in respect of their
access to and use of information and data on personal devices. Ideally, access
should be granted only on a ‘need to know’ basis.
Who has responsibility for the BYOD policy ?
Many organisations place the responsibility for BYOD policies
with their IT department. While the IT department will need to be involved in
the structure and content of the policy, as well as policing its effectiveness
and compliance, it is equally important that the organisation has a good grasp
of the business implications and risks associated with potential breaches of
the policy in order to ensure that its scope meets the business needs of the
organisation.
Education and training
Everyone affected by the policy not only needs to be aware of
its existence and provisions, but also needs to understand its purpose and the
risks entailed by breach. Adherence to its provisions can give rise to an
extensive training and education requirement in order to instil a culture where
compliance becomes instinctive.
Any training also needs to cover what is acceptable use.
Reviewing the policy
Frequent review of any BYOD policy is of paramount
importance. Technological change is extremely rapid and the policy must keep
pace.
Secure sign-up
It is also imperative that rigorous procedures are in place
to ensure that any BYOD device is compliant with all relevant protocols and
policies before any network access is granted. Employees may also need to
undertake to allow access to their devices to allow for updates to be installed
and/or to agree to keep certain protection programs secure and updated
themselves. Consideration should also be given to provision for remote wiping
of devices or of data from devices in the event that they are lost or stolen.
Departing Employees
It is essential to ensure that any BYOD policy provides for
access to personal devices to ensure that all information belonging to the
organisation is removed prior to departure.
Where possible, the policy should provide for an ‘exit wipe’.
Network access should be revoked immediately upon departure.
Key action points for
employers
Ensure that your organisation has an effective BYOD policy
which is: