It’d been a number of years since the initiative of Bring Your Own Device became a hot topic in the cybersecurity world. I’ve worked with companies around the Manchester and Liverpool areas for some years, and the popularity seems to have now peaked. In that time we’ve seen it grow from a reaction to a problem – where people were using their own devices to carry out company business without the knowledge of the company – into a possible benefit for both the company and its employees. The company ends up spending less on devices, while the employee is able to use their own choice of technology which may fit better with the way they work.
But have all of the difficult questions been answered yet?
It’s easy to find examples online of good BYOD policies. They cover off many of the areas which were unclear in the early attempts at governing the whole concept. But there are still a number of questions that remain, and which still may need to be tested in court before a clear answer emerges, because at present there is no legal guidance on where the line is drawn on certain responsibilities.
- A question that I had a few years ago was “How do we deal with data usage on BYOD devices?”. If for example, there is a company policy that allows “reasonable” personal usage of a BYOD device during work hours, but those working hours happen to be remotely-based at a conference or exhibition, what happens when the 3/4G data usage has been exhaused for the month? Is it right that the employee should pay for the additional data needed to carry out their duties if they have used a certain amount already on personal browsing? How do we begin to quantify the amounts of personal metered data connections (such as 3G/4G) across a large group of users.
Other questions which frequently come up are:
- What happens with GPS data – can I be tracked when I’m outside work?
- This is an easy to answer question – yes, if your personal device is being used for work purposes, and includes the mobile device management software that the company uses, then your location is available to the company 24 hours a day. Depending on how privacy concious the individual is, it might not be an issue for them, but it’s not enough to leave it there. What if the company checked up on a staff member’s location during a sick or personal day? What would the consquences be for all involved if it turned out they weren’t in an “expected” location such as ill at home?
- Can my personal data be accessed by company IT admins?
- It could be that a device is inadvertently wiped by a remote administrator, but what would happen next if the wiped data included images which were of value to the owner of the device – family photos which couldn’t be replaced? It’s fine to have a policy stating what is and isn’t accessible in an emergency, such as in the case of a stolen device, but what happens if a mistake is made?
- Internet access.
- Blocking access to websites which are inappropriate for work is fine during the 9 – 5 working week, but what about outside those times? What happens if the device owner views offensive material on the device outside these times but in the presence of another company employee. Could that other employee raise the issue with the company?
- Logging of app usage
- Employees may not want their managers to be able to see which apps have been in use outside of work. How could this be handled?
It seems that many of these headaches could easily be addressed by going back to the company-owned device route. If an employee is not happy to carry their own device in addition to a company-owned one, then BYOD might be an option they sign up for with the understanding that all related activity/location/usage can be seen by the company.
Another solution is VDI – virtual desktop infrastructure. Staff would need to connect to the company network while working, but since the data resides on company-owned servers, there is less risk of data leakage, and no risk to employee privacy.
What do you think of these issues? Is there a better way of handling this? Let us know in the comments.