Guidance on Bring Your Own Device (BYOD)

What is Bring Your Own Device? 

Bring Your Own Device (BYOD) is a widespread term for when a company allows employees to use their own laptops, tablets or phones for work purposes.

In addition to mobile or remote devices owned by the organisation, user-owned devices which access organsational data or services are in scope for Cyber Essentials. This does not include mobile or remote devices that are use only for the purpose of : text messages, voice calls or Multi Factor Authentication applications. This means that if you have a mobile phone that you use to text or speak to work colleagues and receive MFA codes, but you do not use it to access your work emails or files, then that mobile phone is out of scope. If you use a mobile device to access your work emails, that device is in scope.

Although there may be significant financial savings to be had by allowing staff to use personal computers and phones for work, there are also some serious risks to an organisation’s security and privacy.

By allowing remote access to your company by devices that you do not control ( non company owned computers and phones), you increase the risk of material being used by someone for purposes you may not authorise or agree. Company information could be copied, modified, transferred to your competitors or just made public.

For example, while a member of staff is working from their own computer, it is possible that a social media app recently downloaded or already active could access and use the work contact database, sharing identifiable information of clients which, by law, would need their consent to pass onto a third party. This could inadvertently result in a *data protection violation.

Another risk is that the owner of the computer may install apps from insecure sources, perhaps not even realising the risks, and this could make your company files vulnerable to attacks from malware . Failing to update a device can also leave it open to security threats.

Your employee who owns the computer may leave their device lying around unsecured (after all they may be working from home). They may allow friends and family to use it. Other issues include controlling the content and access of a private device if your employee leaves your company or sells their device, and erasing your company information if the device is lost or stolen.

There are some simple things you can do to take back control and protect your company’s information.
The easiest thing you can do is write and enforce a Bring Your Own Device (BYOD) policy. This might be in addition or incorporate other key policies like IT Acceptable Use Policy, IT Security Policy, and Mobile Working Policy.

A BYOD policy does not have to be a complicated document, it should address the use of personal devices that connect to organisational networks, whether that be physical or cloud services eg Microsoft 365. In relation to apps, the policy is only concerned with those apps that interact with organisational data and services.

The employee/ owner of the device must understand and accept the terms and conditions of the BYOD policy . Inclusion of their BYOD device is conditional on their compliance with the rules.

Here are some suggestions that could be included in the policy:

The Operating System and apps must be fully supported by the manufacturer and receive security updates.
Software based firewalls are activated and configured correctly.
Security updates must be installed within 14 days.
Cyber Essentials password controls are applied to users own devices (BYODs).
Users logging in on computers and tablets have a day-to-day account, and this is separate to the administrator account.
The device automatically locks when not in use and requires a 6 digit or more pin/pass code to unlock, (use a biometric* if available).
Anti-malware software is installed on devices and kept updated or, for a mobile device, only apps from the manufacture’s respective store are allowed to be installed.
Unused apps should be uninstalled.
If lost or stolen, it must be reported to the business promptly.
*Rooting or *Jailbreaking is not permitted.
A remote erase and tracking app must be installed and activated so you can track a lost device, lock access and erase data. Obtain written consent in advance from the device owner to remote wipe the device in the event of loss, theft or termination of employment.
Clarify how, when and why monitoring will take place and require the device and passwords to be delivered up on reasonable request.

For further risk reduction

Container Apps or Managed Apps are types of software that separate company data and personal data on the device and would enable the organisation to limit monitoring and remote wiping to company data only.

Mobile Device Management software (MDM) allows you to monitor, manage, and secure employees’ mobile devices. There is a range of price models available for this software.

Desktop virtualisation software, such as Citrix, allows employees to securely access data stored on the corporate network using their own device.  Organisational data is accessed remotely and stays on a secure server. It may be necessary for employees to agree not to copy company data onto their own device.  (see guidance, about virtualisation)

So, before allowing private computers and phones to access your company information, be aware of the hidden costs (subscription, updates, limitations) and risks around your data and make a balanced judgement. If this is a subject you need support with, seek advice from an independent IT security service company.

Definitions

*The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). Strict laws determine how you store people’s contact details and personal information.
*Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network.
*Biometrics are unique identifiers such as fingerprints, face, iris and/or voice, that can be used instead of or in addition to passwords, to make human identity authentication more secure.
*Jailbreaking is the process of removing the limitations put in place by a device’s manufacturer. Jailbreaking is generally performed on Apple iOS devices, such as the iPhone or iPad. Jailbreaking removes the restrictions Apple puts in place, allowing you to install third-party software from outside the app store. Essentially, jailbreaking allows you to use software that Apple doesn’t approve.
*Rooting is the process of gaining “root access” to a device. Similar to jailbreaking, but this is generally performed on Android devices.