Is GDPR the end of Bring Your Own Device?
Bring Your Own Device Bring Your Own Device (BYOD) is now an accepted part of our business lives. There are a number of advantages to be gleaned in allowing BYOD but the major disadvantages revolve around security. With the new General Data Protection Regulations (GDPR), data security is more sharply in view than ever. But with the rush to gain subscribers consent is BYOD the unrecognised GDPR headache? And could GDPR even spell the end of Bring Your Own Device for some firms?
What is Bring Your Own Device?
BYOD refers to employees who bring their own devices to work with them and use them in addition to or instead of company-supplied devices. This includes smartphones, laptops and tablet PCs.
BYOD may occur under the radar. Some businesses may even provide payment to employees toward the purchase of a device.
It’s thought that 72% of UK businesses have embraced BYOD, however only 54% have formal BYOD policies (Teiss.co.uk, October 17). Many more businesses may have ‘informal’ BYOD arrangements, or simply don’t know that staff are using their own devices!
What’s this got to do with GDPR?
GDPR is, at it’s heart, about data protection. Principles 1 to 6 look at how data is collected, kept up to date, removed etc. But Principle 7 is all about security. There is no point getting your consent in place, knowing exactly what you have and having all your policies sorted if you are not going to secure the data you’ve got.
There is lots you can do to protect your data. We’ve talked before about some of the main ways in which technology can help. However, we’ve long believed that mobile devices could be the security Achilles heel for many businesses.
Whilst businesses, and especially those with IT Support, will have in place firewalls, antivirus and the like to protect their internal IT structure – how many think about the devices that leave their premises in the pockets and bags of staff each day?
Do they know how many mobile phones carry work emails with no password? Or how many laptops are connected to open Wifi networks in Starbucks and McDonalds up and down the country? What about how many iPads are used to access employee or customer databases from home in the evenings or at weekends? All of these present a security risk.
How can you secure BYOD devices?
As with much surrounding GDPR it’s through a combination of policy and technology.
A Bring Your Own Device policy is your starting point. There are a number of templates and example policies available but do use them only as a starting point. This is a policy for your business and should be personal to you.
It may be worth consulting employees on the BYOD policy. It’s them who will be able to tell you want devices they are using and why. They’ll also be able to tell you what they might want to be able to do in the future.
There is one very sensible rule of thumb that applies to all businesses – store as little data on personal devices as possible. If employees must have access make it available via a VPN (Virtual Private Network) or hosted desktop solution. That way the data is accessible on the device but stored somewhere much more secure.
Once you’ve got an idea of what you and your employees want from BYOD and you’ll be able to find the technology needed to protect your data.
For example, if staff simply want access to email then Office 365 provides full functionality with security built in, including the ability to remote wipe.
If you’ve got a more wide-ranging set of equipment and uses you might need to look at Mobile Device Management (MDM) software.
Is it worth it?
It’s a good question and one only you can answer. However, businesses that steer away from BYOD because they fear it will cause a data breach are wrong to do so. Not allowing BYOD might well restrict the productivity of employees and there is no reason why a well-managed and well-understood BYOD policy should increase the risk of a data breach.
The problems will lie with companies who ignore BYOD, and mobile devices in general, within their risk assessments and data protection arrangements.
How We Can Help
We support organisations to achieve the Cyber Essentials standard. Cyber Essentials is a government backed cyber security certification scheme. It sets out a good baseline of cyber security suitable for all organisations in all sectors.
If you’re concerned about any aspect of your IT Security we offer a FREE cyber security assessment to East Midlands based businesses.
To take advantage of this offer call us on 0115 822 0200 or contact us today.
15-minute response time
NO LONG-TERM CONTRACTS
Low Risk & Complete Flexibility
An Extension of Your Business