FORUM: Managing risk arising from BYOD and telecommuting
August 2015 | SPECIAL REPORT: TECHNOLOGY IN BUSINESS
Financier Worldwide Magazine
FW moderates a discussion on managing risk arising from BYOD and telecommuting between Mike Gillespie at Advent IM Ltd, Sam Pfeifle at IAPP, and Raj Samani at Intel Security.
FW: How prevalent are BYOD and telecommuting becoming in today’s business landscape? Do you expect to see a continued rise in technology-assisted working, and why?
Samani: Businesses are eagerly embracing BYOD for many reasons. Beyond empowering the workforce and driving innovation in the development of new business applications, BYOD is also considered economically advantageous for companies edging away from owning and controlling a legion of legacy devices. Gartner has predicted that half of employers will require employees to supply their own device for work purposes by 2017, supporting the view that BYOD will only become more prevalent in the business landscape as the consumerisation of IT continues. We recently conducted research which suggested that 78 percent of UK professionals now use their personal devices for work-related activities. Businesses are getting on board to ensure the support and security protocols are in place to support these employees. Technology-assisted working brings huge benefits and will continue to increase for as long as businesses are keen to reap the rewards of enhanced productivity and collaboration.
Pfeifle: Not only are we seeing personal devices become almost ubiquitous in the workplace, we are already hearing people coin terms like Bring Your Own Wearable. It’s not just your phone and laptop anymore, but your smart watch, your health monitor, and a host of other new technologies that very few organisational policies are ready to deal with. As technology becomes ever more part and parcel of our daily routine, it will become nearly impossible for employers to expect employee-owned technology to be separate from their work lives.
Gillespie: Tech supported flexible working, using platforms like Skype or Google Hangouts, is enabling a great deal of collaboration and opening up opportunities for businesses and employees alike. The need to be ‘on-site’ the whole time is now in many cases, passé, and so businesses can actually choose the colleague they genuinely feel fits the bill rather than compromising due to awkward geography. Employees are benefitting from being able to flex their work commitments to fit their lives, and with the continuing rise of the Millennials, this is likely to increase. BYOD is also growing if stats are to be believed, along with Choose Your Own Device and, probably, wearables. Given the increasing cross over and convergence of work and home, this is also likely to grow. Technology assisted working means we are plugged into the ‘office’ virtually all the time; perhaps this is unhealthy, but given the amount of wearable technology available in sports goods shops, it won’t be hard to find out.
FW: In your opinion, how does the success or otherwise of a business with a BYOD/telecommuting policy compare with a firm that does not offer such an arrangement to its workforce? What size and type of firm is most likely to adopt such a policy?
Gillespie: You have to bear in mind that employees will BYOD without telling IT security or having permission to do so. In terms of security, that is a nightmare because you have no control over what they are doing, downloading or viewing. A conservative estimate recently suggested that around of a third of apps contain malware. Even if you factor out the malware, the level of invasion many apps require is extensive. Some want access to your contacts, your camera, your GPS. It seems quite extreme considering their purpose. So imagine finding yourself in the position of having no control over what your employees are doing because they haven’t told you they are BYODing and you are one of the 41 percent, according to Acronis research, that doesn’t have a BYOD policy. The best advice would be to fully risk assess the BYOD proposition so you know what level of risk you are prepared to accept for the agility or increased employee satisfaction it will bring. Before you allow it, create a policy that employees have to agree to adhere to and enforce it. This should include security hygiene training and some level of control that suits your business, such as mandatory anti-malware and some restriction on apps.
Samani: BYOD is now a widely accepted business practice across both global organisations and SMEs. Employees are increasingly demanding more mobile and social workplaces, pushing enterprises to provide the same technology experience at work as that which they experience in their personal lives. Initiatives like BYOD promote intuitive collaboration as well as enhanced productivity. Firms of all sizes are keen to encourage this sort of working behaviour. In terms of success, organisations implementing basic BYOD programmes see immediate productivity gains. Cisco found the average BYOD user saves 37 minutes per week when using their own device at work while on average basic BYOD generates $350 of value annually per BYOD and corporate device user. When considering that more comprehensive BYOD programmes can further reduce productivity losses, spark innovation and lead to hard savings, companies wishing to boost their success certainly need to consider the implementation of a BYOD policy which includes clear guidelines on security.
Pfeifle: Perhaps larger firms have the ability to issue company-owned devices to its workforce, but employees, being people, are creatures of convenience. If they need to check work email from a personal device because they forgot their second phone, they’re going to do it. If they forgot their company laptop at work and need to access the server from home to finish at deadline, they’re going to do it. That results in ‘shadow IT’ that’s off the radar of your IT department and being accomplished in secret, so that you don’t have contingencies set up and your privacy and security controls are not in place. Keeping everything out in the open and accounted for not only allows your employees to be whole people in this age of nearly 24/7 expectations for white-collar professionals, it also lets you be in better control of what’s happening with your organisation’s data.
FW: Although the concept of BYOD/telecommuting makes a strong statement in terms of employee empowerment, what are some of the potential risks and disadvantages associated with such policies? To what extent could these endanger business performance?
Pfeifle: The risks here are fairly obvious. They include children hitting the wrong button, devices being used in casual situations and in places where security is less than ideal, and a general loss of control and certainty. While I’m not privy to any hard data that says personal devices are more likely to lead to a breach, it seems intuitively true.
Gillespie: A policy is not a disadvantage unless it is unreasonable and a disproportionate response to the risk established in the risk assessment, not educated into employees properly, never reviewed and updated, not enforced as simply having a policy was deemed to be enough and no one was made accountable, or it wasn’t fit for purpose, in which case the risk assessment was faulty or missing. Employee satisfaction and empowerment is vital to any business but you have to ensure something as potentially explosive as BYOD is handled properly. Mobile malware is on the rise and the ever-present fear of ransomware has started to raise its exceedingly ugly head in mobile too. A lack of control over what is happening on mobile devices connected to your network is a threat in anyone’s book. It all comes back to the organisational risk tolerance and appetite.
Samani: When employees are permitted to bring their own consumer devices into the workplace, significant security challenges open up. We recently found that 77 percent of UK professionals engaged on BYOD programmes feel confident that their employer is taking necessary steps to protect all important data on their device. The majority of mobile users don’t worry about managing the security of their devices and identifying easy entry points for malware. Some of the main risks include using unprotected Wi-Fi hotspots, leaky apps and putting data at risk by placing highly sensitive corporate documents into apps with weaker security and privacy controls. Lost or stolen devices combined with the failure to implement appropriate authentication is also a significant issue. All of these potential risks could endanger business performance. The increased risk of data breaches and hacks could potentially lead to damaged brand reputation and huge costs, both in terms of fines and dealing with the consequences of a data breach.
FW: What considerations should companies make when evaluating the increase in cyber vulnerability against the cost benefit of using less secure business methods?
Gillespie: Remote working can have several cost benefits but doesn’t need to be less secure. Obviously, using untrusted Wi-Fi does have its risks and you need think about whether the router has been adequately protected. BYOD is definitely a less secure business method and has lots of associated risks, as you have so much less control over what the user is doing with the device, apart from how they use it for work. For both work-styles though, there are a number of considerations. Is BYOD actually needed? Access to what information assets – general or highly sensitive, data resident on a local machine – is required? What is the risk appetite of the business? Are there additional technical or non-technical compensating controls? What incident management procedures need to be implemented in case of loss or compromise? Also, education and awareness are vital, as having a policy is useless if there is no education and reinforcement of the security message and culture.
Samani: While BYOD can lead to increased cyber vulnerability, companies should consider the outcome if BYOD policies are not implemented. Many people work on whichever device is handy, looking for the most efficient ways to get tasks done. BYOD is happening. Companies will find this is true whether they restrict the technology or not. Embracing BYOD can be challenging but it is far better to be aware of the risks than pretend employees aren’t using their own devices in the office. Threats to security can often be reduced by ensuring that employees understand the protocols to follow in order to keep information secure. As demonstrated by the vast uptake of BYOD, many companies believe the cost and employee benefits far outweigh the security concerns if they ensure that the right processes and people-based controls are in place to protect company data.
Pfeifle: Many companies are asking employees to be more available than ever before. For very few white-collar workers is business a 9-to-5 proposition. They are travelling the world, answering emails from varying time zones, and trying to juggle work-life balance in an increasingly connected world. If having their work email on a personal device lets them catch an extra ballet recital or school field trip, that can increase employee morale by a considerable factor. Further, just because you make something against the rules doesn’t mean employees won’t do it. Keeping a transparent view of how your employees are using company data is vital to an effective privacy and security operation. If a flexible BYOD policy means a better view into employee actions, that’s a huge benefit that shouldn’t be discounted. Finally, there are increasing solutions for sandboxing or otherwise segregating a personal device so that business data is kept better protected. The BYOD landscape is getting more secure and manageable every day.
FW: In your opinion, how should firms with a BYOD/telecommuting policy address security risks and data protection?
Samani: Organisations should develop BYOD policies which strike the right balance between flexibility and control. IT and business leaders need to work together on these policies to ensure that they enable employees to use the apps they need to be productive whilst also getting the right controls in place to protect data and minimise corporate risk. Without this greater cooperation between IT and the boardroom, security cannot be as effective. Enterprises need clearly defined policies on BYOD, outlining which applications and websites are permitted as well as providing advice on where to avoid accessing corporate data. In addition to monitoring and regulating how users transfer and use valuable corporate data over these devices, IT teams should also set up policies to safeguard data if the device is lost or stolen. Beyond careful planning and smart policies, staff coaching is also key. Educating employees about the risks should be part of every firm’s BYOD implementation strategy.
Pfeifle: Communicate with your employees directly and frequently about their obligations with company data, especially if they’re working with sensitive data. Perhaps have different policies for different employees, depending on the data with which they work. Use technology to your advantage – make sure they’re smart about backing up, working off a centrally located server through a VPN, and using other technologies to ensure that the fewest possible risks are in play. It may also be smart to compensate people for using their personal devices so they understand just how important a company’s stake in their personal device is.
Gillespie: Start by asking if this is something you need to do. There is a always an element with something new to rush to it, although it is clear that remote working and BYOD are both things many employees want in order to be able to balance work and home and also benefit from using more up to date tech than they would be supplied by work. The concept needs to be thoroughly risk assessed and looked at within the risk tolerances and appetite of the organisation. It may vary depending on job function, so you may have to be aware of managing the expectations of employees who feel this is a right. If it is not appropriate for their function or there is risk beyond the appetite for that function, it should not be deployed. BYOD policy should also cover all employees, as in too many cases we see senior executives being allowed to shirk the policy and use whatever they choose. Given that they often carry the most sensitive information and may also be a target for spear phishers and other criminals, it is vital that senior executives are included and also that they buy-in just the same as other users. We know from research that the C-suite is notoriously bad at handling information securely, so it really is vital they are on board with the BYOD culture.
FW: In future, how do you envisage the impact of increased BYOD/telecommuting processes on the relationship between employer and employee? Is BYOD/telecommuting the shape of things to come?
Pfeifle: Alongside Bring Your Own Wearable, how does Bring Your Own Implantable sound? Devices are going to be under our skin, in our ears, in our eyeballs, literally a part of us. As that happens, employers will be forced to accommodate employees or find themselves with a much smaller pool of candidates. Getting a philosophically sound BYOD policy in place now is vital for preparing the company of tomorrow.
Gillespie: Both forms of enhanced working will have a dual effect on the relationship between employer and employee. The choice of working partnerships is going through a subtle but important change as geography increasingly becomes a moot point, and colleagues use online teleconferencing and sharing to work and collaborate. This will remove certain aspects of the work day we have grown used to in some cases, the chat around the water cooler or the shared lunch around a table. That isn’t to say it can’t or won’t be done – indeed some businesses like to make a point of having a ‘facetime’ time chat or social with virtual team members to ensure the social part of working isn’t forgotten. This will be of increasing importance and people should not be quick to rule it out as silly or a fad. The isolation of remote working will not suit all people and this needs to be considered when deciding on it as a working culture.
Samani: BYOD reflects the increasing consumerisation of IT and the need for employees to make smart decisions when it comes to company data and their devices. Of the 450 data breaches reported to the ICO in the fourth quarter of 2014, 102 were down to loss or theft and 127 were down to data inadvertently posted, faxed or emailed. There is clearly a need for greater employee coaching to ensure data loss by employee error is kept to a minimum. While steps can be taken to further protect company data, such as the ability to remotely wipe a device or the introduction of advanced encryption, BYOD does suggest a shift in data responsibility toward the employee. The huge advantages of BYOD – flexible working hours, increased creativity and innovation, improved collaboration and increased productivity gains – suggest that BYOD may well become the rule rather than the exception.
Mike Gillespie is the managing director of Advent IM Ltd. He is also director of Cyber Strategy and Research for The Security Institute and a member of the CSCSS Global Cyber Strategy Select Committee. Mr Gillespie is a security professional and CLAS (the CESG Listed Advisor Scheme – CESG is the technical arm of GCHQ) consultant of many years’ standing. He can be contacted on +44 (0)121 559 6699 or by email: firstname.lastname@example.org.
Sam Pfeifle is publications director at IAPP and oversees various blogs, books and resource centre items. Mr Pfeifle came to the IAPP after stints overseeing a number of B2B publications, including titles in the physical security, workboat and 3D data capture industries. He began his journalism career with the alternative newsweekly The Portland Phoenix. He can be contacted on +1 (603) 427 9209 or by email: email@example.com.
Raj Samani is actively involved with numerous initiatives to improve the awareness and application of security in business and society. He is currently working as the VP, Chief Technical Officer for Intel Security EMEA. Amongst other roles, he volunteers as the Cloud Security Alliance Chief Innovation Officer and Special Advisor for the European CyberCrime Centre. He can be contacted on +44 (0)20 7608 2500.
© Financier Worldwide