ENISA have published a useful set of controls and best practices for managing the risks in a Bring Your Own Device (BYOD) program. They identify three groups of controls
- Governance
- Legal, Regulatory and HR
- Technical (Device, Application, User and Data)
Throughout, the focus is on the owners, not the devices, which seems right. If the owners don’t understand the need for behavioural and technical controls and aren’t provided with the skills and motivation to follow them, then with full control of the device they can ignore or override them anyway. For example it may be cheaper and more effective to support staff in appropriate use of social networking tools rather than to try to impose software on all their devices to prevent loss of business information. BYOD programs should therefore be voluntary, with owners making a positive choice to share their devices with their organisations, understanding and accepting the responsibilities that brings.
There are some interesting ideas on how to encourage participation in the programme, including provision of support, offer of additional services, or even financial benefits! It strikes me that at least the first two have beneficial side-effects for the organisation too. Making things work well for those who participate in the official scheme may bring into the fold those who would otherwise try to connect their devices unofficially (I remember universities achieving successful deployment of quality wifi by a similar technique). Providing or recommending services such as webmail and storage means that the organisation can direct users to options that satisfy the security requirements of both users and the organisation.
There are interesting ideas on keeping organisational and personal use separate, not just in technical terms but also in policy. An explicit policy that organisational support staff and management software will only look at organisational data and applications should help staff/owners trust that their privacy is being respected and encourage them to respect the organisation’s interests in return.
Finally there’s a recognition that this is a very rapidly changing area where new technologies and practices quickly move from brand new to completely routine. Organisations need to work with their staff to incorporate BYOD into their existing systems for managing information security to ensure this is done in a way that benefits both.