The government has updated its bring-your-own-device (BYOD) guidance for employers following a rapid increase in the use of mobile devices and the growth of remote and flexible-working arrangements among staff that use their own laptops, phones and tablets for business purposes.
The guidance applies to any type of BYOD software product running on a personally-owned device including: container applications on personally-owned smartphones, bootable USB media on home PCs and remote desktop or remote application products.
The security aspects in the guidance include: creating an effective BYOD policy to ensure devices are only able to access business data they are willing to share with staff; limiting the information shared by devices; considering using technical controls; planning for security incidents to limit loss; considering alternative ownership models; encouraging staff agreement; understanding legal issues; and anticipating increased device support.
Ciaran Martin, director general for Government and Industry Cyber Security, said: “We’re always looking to find the right balance between easy use and good security. Getting that balance right for BYOD is what our new guidance is all about.”
Ali Moinuddin, chief marketing officer at file sharing and document services organisation Workshare, added: ”The key issue that organisations need to address is finding a balance between the ease-of-use and flexibility that users demand, and the security and control that IT needs.
“The government’s recognition of the move towards more flexible and mobile working in organisations is certainly positive, because it brings the inherent security issues to the forefront of the BYOD debate. The onus is now on organisations to take advantage of the opportunities that BYOD offers them, in a secure and manageable way.”
BYOD has advantages for employers including increased efficiency, flexibility and employee morale. But it also carries a number of risks that organisations must consider, particularly when allowing employees to use their devices to process work-related personal information.
Last year The Royal Veterinary College received a warning from the Information Commissioner’s Office (ICO) after a member of staff lost a camera, which included a memory card containing the passport images of six applicants. The organisation had no guidance in place explaining how personal information stored for work should be looked after on personal devices.
To ensure that their staff work effectively and securely, employers must ensure that they have in place a robust BYOD policy and the technology, procedures, and systems in place to support this.
Employers can use the updated guidance by the National Technical Authority for Information Assurance to consider the key security issues that surround the use of employee-owned devices.
Simon Rice, group manager for technology at the ICO, said: “As the line between our personal and working lives becomes increasingly blurred, it is critical that employers have a clear policy about personal devices being used at work.
“The benefits must be balanced against the potential risks to work-related personal data, but the organisation should not underestimate the level of effort which may be required to ensure that the processing of personal data with BYOD remains compliant with all eight principles of the Data Protection Act (DPA). It is the employer that is held liable for any breaches under the DPA.”