Dealing with the risks of the BYOD phenomenon

The practice of employees bringing and using their own devices at work has seen a more rapid uptake in Oceania than elsewhere. Related: BYOD here to stay

Specifically, nearly half (48%) of respondents in this part of the world said that their enterprise allows employees to 'BYOD' - Bring Your Own Device.

At the same time, almost precisely the same percentage (47%) thought that the risks of BYOD still outweighed the benefits, compared with 22% who thought the opposite. The predominant view appears to be supported by a recent piece of research conducted by Virgin Media Business. In 2012, just over half (51%) of secure IT networks in the UK were breached as a result of employees using personal devices for work-related activities, according to the 500 CIOs that were interviewed.

The same report also warned that there will be an influx of new tablets in offices at the beginning of this year. There is a clear need to focus on the security of BYOD in 2013.

In response to concerns, the European Network and Information Security Agency (ENISA) has released a report that suggests strategies, policies and controls to mitigate the potential risks posed by BYOD. The report’s authors, experts from both public and private sectors, came from Ireland, Spain, Italy, the Netherlands, and the UK.

The authors acknowledge that there is no single solution that will work for all organisations. However, they conclude that the policies, controls and good practices that they suggest do provide a solid foundation for the development of risk mitigation in any organisation that allows employees to use personal devices while on the job.

ENISA’s six key messages:
 

1. Ensure that governance aspects are derived from business processes and protection requirements and are defined before dealing with technology.
    
2. End-user involvement can effectively mitigate risks. Awareness raising on COIT programs is highly effective for the enforcement of security policies.
    
3. Periodic risk assessment on COIT programmes should be undertaken to ensure that security policies remain compatible with evolving technologies.
    
4. Keep in mind that encryption complements but does not replaces strategic risk management within a COIT program.
    
5. Perform small steps initially and proceed with more complex policies when sufficient experience has been gained.
    
6. It is important to identify which COIT risks need to be mitigated within your organisation while the window of opportunity still remains open.