I had been planning to write up a summary of my thoughts on Bring Your Own Device, but I’m pleased to discover that the UK Government has pretty much done it for me. Their draft guidance, just published for comment, suggests an approach along the following lines:
- Start by reviewing which information should not be accessed from BYOD, and configure networks and servers to prevent access;
- Work out with users how the remaining information can safely and lawfully be used on BYOD;
- Consider technical solutions to support that user agreement;
- Plan to support a wider range of devices than just “corporate issue”;
- Add BYOD to your incident monitoring and response plans.
In our research and education sector I expect to find only slight tweaks in stages three and four. I suspect we’ll find mobile device management less appropriate for us than Government (the ICO also has his doubts about this software): however high-speed networks mean we are already familiar with virtual terminal systems that avoid the need to store information on mobile devices. And our users already expect our networks and systems to support pretty much anything they bring along!
Interestingly the Device Security Considerations also confirm a suspicion I’ve been developing: “If sensible precautions are taken, the impact of compromise of an unmanaged device will be similar to the impact that the same compromise would have on a managed device”. Once you’ve allowed information to be accessed from a mobile device, the most significant factor affecting its security is how the user behaves (e.g. reading documents on trains!), not how the device is managed.
So let’s “maximise the business benefits of BYOD whilst minimising the risks”!