I’ve done a couple of presentations this week, comparing the risks and benefits of Bring Your Own Device (BYOD) with those that research and education organisations already accept in the ways we use organisation-managed mobile devices. As the title of my talk in Dundee asked, “BYOD: What’s the Difference”
Nowadays, most of the significant risks to information when it’s used outside the office seem to be created or prevented by user behaviour, rather than the technology they happen to be using. We’ve all been on trains when someone reads out their credit card details, very clearly, on a mobile phone. Whether that phone is their own or their employer’s, or who owns the laptop on which you work on a confidential presentation in a public place, is irrelevant. If you are worried about information being backed-up to an insecure Internet site, or stored on a device that is lost or stolen, then those risks too exist for both personal and corporate devices. In some cases an organisation-managed device may have quicker patching or anti-virus updates, but there are also examples of corporate systems or contracts making security updates significantly slower than an individual can get them direct from the vendor.
Most of the technical security controls that we use on mobile devices in research and education are also readily available, indeed should be basic good practice, for all our personal devices. PINs, passphrases and SSL communications are at least as important to protect personal data and phone bills as they are for business information; encrypted storage and remote wipe (if they are supported) protect our precious information from casual thieves; keeping work and personal files and e-mails in separate folders (or even accounts) makes for much easier filing and less risk of sending a message to the wrong person. Awareness of surroundings is essential for anyone using a mobile device, especially if it’s you that pays for its insurance.
There are a few technologies that aren’t appropriate for personally-owned equipment: the Information Commissioner specifically warns against location tracking and usage monitoring on devices that may be shared with family members. It’s also unlikely to be possible to technically restrict what software is installed or what administrative rights a user has over their own device. But how many users in education have those restrictions on their “work” mobile devices anyway? We may have a policy of withholding administrator rights, but the difficulty of using a laptop without those rights (I’ve tried!) makes me suspect that the exceptions to that are invoked more often than we’d care to admit.
In fact I wonder whether the difference between BYOD and Corporate Mobile might even be the other way around? A BT survey found that 81% of employees (and an even higher proportion of senior executives) “didn’t care” about mobile security. That may be true of devices that are “just for work”, but do we really care so little for personal devices that may contain the only copies of photographs of family occasions or whose misuse by a thief could create a very large dent in our personal bank accounts? Perhaps we should be designing systems that encourage BYOD, helping owners to use their devices safely in their own interests, and incidentally improving the way they handle our data as well? Certainly when I talk to people about security or privacy, it’s the stories of personal impact that seem much more likely to change behaviour.
On balance I don’t see BYOD as creating significant new risks for most research and education uses, unless organisations deny its existence and leave their users without the support and guidance they’ll need when working outside the office on any device. However, there do seem to be potential benefits to be had, both for organisations and their users, if we design BYOD into our human and technical systems. Indeed the human side is probably more important – BYOD is mostly about Owners, not Devices.