You are using an outdated browser. Upgrade your browser today for a better experience of this site and many others.
Tel: 01527 831991 (*) info@pinfields.co.uk
It is our tradition of forward thinking that ensures you always get the perfect answer
BYOD refers to the policy by which employees can use their own personal mobile devices to access company networks / systems. We consider guidelines on creating a policy. If your business is in the Worcestershire area, we, at Pinfields can help you to create a Bring your own device policy (BYOD).
Some employees will prefer to use their own personal mobile device that places the organisation at risk from reputational damage and legal proceedings.
Firms need to have a formal policy with regard to the use of personal devices at work.
Bring Your Own Device (BYOD) refers to this type of policy - that defines which mobile devices (if any), employees can use to access company networks/systems.
We consider how to structure such a policy, and should be included.
Firms need a policy that sets out the devices which may or may not be connected to its network. It will also need procedures to ensure that non-approved devices can never be 'accidentally' connected. Finally, appropriate mechanisms must be put in place to maintain security over personal data, which may be stored on mobile devices.
The first step is to perform an audit of the current situation. Which devices use the network, and what for?
As the employer (who is the Data Controller) there are obligations under GDPR to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
There is a high risk that confidential corporate and client data can find its way onto personal devices - which are usually not very secure and can be easily lost, or mislaid, or stolen.
Imagine this scenario. An employee receives an email with an attachment containing a mailing list of all clients and their contact details, which they open and save onto their mobile device. If that device then goes missing the data stored on it could find its way into the public domain, or be mis-used, or sold onto a competitor. What's worse is that the Information Commissioner's Office will need to be notified of the loss of data, as will each individual on that mailing list. This can cause major reputational damage as well as a large financial penalty.
Having performed an audit, the second stage is to decide what to include or exclude from a BYOD policy, and this is usually done at device level.
However, strong controls such as mobile device management systems need to be employed with this type of approach.
In an increasing trend, some firms have decided to abandon BYOD and having a zero-tolerance policy, in favour of providing devices to employees.
The firm may wish to restrict access to certain applications – most often to email and internet access only. Full-blown access to networks and applications should be avoided where possible, other than from PCs or laptops and then only via trusted networks or secure remote access tools.
BYOD devices owned by an employee are likely to be used for both business and private purposes.
On the one hand the employee has to be confident that the company will not access personal material stored on the device or use device monitoring tools, whilst on the other hand the company will want to protect corporate and client confidential information which may also be stored (or visible) on the device.
Employers also need to be aware that devices may be used (for personal purposes) not just by the employee, but also by other family members.
The easiest and quickest way for devices to be attached to a network is for employees to use their device to login to a network, wirelessly. Some firms publish their wireless key to employees without realising that they are using the key on all devices including personal devices.
A common method of providing device security is to make the wireless key very strong (i.e. difficult to remember), and only entered into the device by a member of the IT support team, or other nominated individual. Thus control can be maintained at device level relatively easily. However this approach can be very time consuming, depending on the size or complexity of the organisation.
More robust approaches will utilise network hardware to create access control lists against specific devices that must first be registered and therefore approved by the business before they can connect. The advantages of this method allow for auditing and time zone controls such are restricting wireless access to office hours.
Most current versions of network operating software (Windows and Mac) have inbuilt security tools that can be used to maintain a list of "approved" devices.
This is done through a registration process in much the same way as network hardware registration, whereby the device is presented and registered on the network.
If a device gets mislaid or an employee leaves, the device can be blocked/removed from the list of registered devices.
Whilst this approach is useful in blocking unwanted guests and controlling access to network resources the disadvantage is the lack of control when a connecting device is lost or stolen.
A more robust approach to providing device security is to use MDM services - these may either be provided as part of the network operating software, or this service may be provided by a third party.
There are different levels of this type of service ranging from simple registration and device reset services, to sandboxing personal and corporate data, which will allow separate wiping of corporate data only.
Employees will have to agree/consent to whichever mobile device management system is used if they want to adopt BYOD.
Employees must also agree/consent if MDM software is used to monitor the device, the activities that are monitored and whether or not geo-location is used.
Finally, employees will need to understand what will happen to their own personal data stored on the device, in the event the device has to be disabled.
This method has all the benefits of being easy to use, from the end-user perspective, whilst being very secure from the business perspective. The business can also perform operations such as locating devices, should they be lost or stolen, or performing a block and wipe remotely.
A BYOD policy in itself does not provide sufficient safeguards. All confidential/personal data must be encrypted. Just setting a document/spreadsheet as read-only, or creating a password to open the document/spreadsheet is not the same as encrypting the data.
Firms must assess what personal data is being transferred from and to which devices. Then perform a risk assessment of the chances of the data getting into the public domain, and then use appropriate encryption methods to protect that confidential/personal data.
BYOD can either be formulated as a separate policy, added to an existing acceptable use policy, or added to an existing internet and email policy or social media policy.
Company devices, by default, will come under the scope of BYOD.
Employees with their own personal devices should be given the opportunity to opt-out or opt-in to the BYOD policy:-
See our summary for our four easy steps in defining and implementing a BYOD policy.
It is important that the employer (who is the Data Controller) remains compliant with the GDPR with regard to the processing of personal data. In the event of a security breach, the employer must be able to demonstrate that all personal data stored on a particular device is secured, controlled or deleted. Having a BYOD policy will go a long way towards meeting that objective.
If your business is in the Worcestershire area we are here to help you create a Bring your own device policy (BYOD). Please contact us at Pinfields for further advice.