BYOD: Doing Security Together

Presenting at the Jisc’s Safer Internet Day event got me thinking a bit more about the shared interests between owners and organisations in a BYOD scheme, and the opportunity that might present. For many years I’ve liked the idea of helping users be safe in their personal Internet lives (where motivation should be a matter of self-interest, rather than “having to comply with policy”) and improving workplace safety as a side-effect. BYOD is an ideal place to do that, since company and personal information are on the same device and protected (or not) by the same behaviours of the device owner.

Thinking about mobile devices, there seem to be five main areas where safe behaviour makes a difference; at least the first three of these have benefits on non-mobile devices too:

  • Backups: saving the right information to the right place at the right times;
  • Security: knowing how to use passwords etc. to protect access; how to download software and documents safely; how to use patches, anti-virus, firewalls and choose the right configuration options; how to detect when things go wrong;
  • Separation: using different accounts and directories/folders to separate information; when to use encryption and what not to view or discuss in public places;
  • Wiping: knowing when and how to trigger remote wiping of a device (getting backups right makes this less of a nuclear option);
  • Location: knowing when and how to use remote device location to increase the chance of getting lost hardware back.

For BYOD I suspect that organisations probably need to set the rules for wiping and backups, though those rules may still say that the owner does them. Wiping is the ultimate protection for the organisation’s information on the device and, as one council recently discovered, getting backups wrong may be the easiest way for the owner to expose that information to unwanted risks. Security and separation offer opportunities to balance what the owner is prepared to do against the information and services they are allowed to access from the device. A benefit of making this trade-off explicit should be that if the user understands that certain information requires a level of intrusiveness that they don’t want, there should be less temptation to work around the prohibition. Providing wiping is done, location of a BYOD device seems to be entirely the owner’s choice: it’s their device, after all! That’s a good thing, as the ICO expressed serious concern about potential misuse of location/tracking functions on a device that might be expected to be borrowed by the owner’s family or friends.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *