Over the years we have seen an increased popularity in the bring-your-own-devices (BYOD) to enable staff to access enterprise and data systems. The BYOD policies allows and sometimes even encourages staff to access corporate and data systems using their personal equipment such as smart mobile phones, tablets, laptops etc. Many contend that this flexibility makes it more convenient for staff and shows appreciation for their preferences. This is particularly relevant in the context of COVID-19 restrictions which have called for more flexibility from both management and staff.
COVIDAs the new norms and practices for remote working be
In all situations it is assumed that standard best practices of data communications and authorisations are maintained. Two-factor authentication is typical with the stronger systems requiring authentication through a different channel, say via sms. The use of strong passwords is another assumption that is relevant for all categories of BYOD policies.
Most major hardware and systems providers now cater for BYOD arrangements. Leading firms such as IBM typically categorise BYOD policies as comprising:-
- Unlimited access for personal devices
- Access only to non-sensitive systems and data
- Access but with IT control over personal devices, apps and stored data
- Access, but preventing local storage of data on personal devices.
The first category of BYOD policies is the one that carries highest risk as any member of staff can use any of their devices to access any type of data or corporate infrastructure available. This is the simplest to operate as it merely calls for the appropriate authorisations to be distributed to staff. It carries the highest risk, since any third party that legally or illegally acquires the staff authorisation codes, can from the convenience of their own devices access all and any corporate system or data operated by the firm. Is it worth the tremendous risk involved merely to get the advantage of providing maximum convenience to staff?
The second category of BYOD seeks to provide staff with the convenience of using their own devices, however, this freedom is restricted to non-sensitive systems and data. Such a policy calls for an overview of all corporate systems and data to ensure that this is categorised appropriately. This categorisation will typically cut across legacy system and data configurations. Decisions need to be made as to the user group categorisation, Directors, management, middle management, line staff, and what systems and data each user group needs access to. Once these decisions are made, the relevant systems and data files need to be isolated. Whether these are on a corporate server or on the cloud, they need to be isolated and sealed off from the rest of the systems and data. This seclusion and isolation is critical to ensure that access is only provided to those categorised as non-sensitive.
The third category of BYOD seeks to utilise smarter technologies to allow different user groups access to different systems and data sets, based on a generic company wide classification of sensitive and non-sensitive, but on a series of profiled user groups that can be given controlled access to though the use of screened personal hardware and installed security apps that provide another layer of security to reduce access to the system by unauthorised users. This screening of personal devices and the installation of security apps may be seen by some members of staff as an invasion of their privacy. Such apps and control logs capture various personal data, including GPS location data, which would need specific authorisation under the provisions of the EU GDPR provisions.
The fourth category of BYOD policies allows controlled access but does not allow any local storage of data on personal devices. This approach can be implemented within the Category 2 and Category 3 data segregation policies. It can be limiting for some members of staff who may need to access and download certain data files.
Despite the growing popularity of BYOD, many firms are resisting its implementation. These argue that there needs to be a clear separation between work and personal devices since the security protocols for work need to be at much higher level than those many would apply for their personal use. Ensuring that separate devices are used for work and personal use allows employers to provide hardware that is professionally secured with all the relevant apps and controls to allow for a monitoring of its use as well as protecting its integrity. In this way, the individual member of staff’s privacy is not breached with the introduction of such invasive monitoring and control tools.
It is never easy to strike a balance between convenience and security. Typically, the more secure is the environment, the less convenient is this for users. Yet this inconvenience needs to be set off against the potential damage and liability that would occur were a BYOD policy abused of and non-authorised third parties gain access to corporate systems and data with malicious intent.
the expertise and experience to assist clients in determining whether BYOD
policies can be useful to the organisation or not. With considerable experience
in setting server and cloud based access control and monitoring tools, eBS can
assist clients in developing the appropriate BYOD policies and implement the
necessary system and data storage and access changes to facilitate its
implementation on a daily basis. Security is not a luxury, it is a necessity
and no matter how expensive this may appear, the cost of a system breach is
likely to be far more costly than the security system required to avoid such a
breach. For more info contact firstname.lastname@example.org
 Meritt, Tom, 2021. “Top 5 reasons to build, not buy, software”, Software, April 26,