RiskUKOctober2017
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
‘The Perimeter’, as it<br />
was once known, is<br />
quickly going the way<br />
of the Dodo. Between<br />
Bring Your Own Device<br />
schemes and the mass<br />
migration to the cloud,<br />
IT security<br />
professionals can no<br />
longer rely on the<br />
boundaries of their<br />
network to be the true<br />
borders in their area of<br />
responsibility. That<br />
being the case, where<br />
do they go from here?<br />
Adam Jaques offers his<br />
take on the matter<br />
Left To Their Own Devices<br />
Quite predictably, Bring Your Own Device<br />
(BYOD) refers to a policy of allowing<br />
employees to literally bring their own<br />
devices into work and use their employer’s<br />
network in order to do their job. It might prove<br />
to be a headache for IT professionals inside the<br />
host company, but has clearly been quite<br />
attractive to management, who often see an<br />
opportunity to save money, increase<br />
productivity and, ultimately, streamline the<br />
working lives of their employees.<br />
This poses tough questions for security<br />
professionals. They’ve every right to be<br />
worried, too. A panoply of studies show that,<br />
time and time again, human error is so often<br />
the prime cause of a breach. Further, recent<br />
reports have indicated that personal devices on<br />
corporate networks are behind many insider<br />
threats. In short, BYOD serves up a whole new<br />
salad of security variables for IT security<br />
professionals, many constituent elements of<br />
which may seem tough to digest.<br />
The moving parts that a BYOD policy<br />
introduces confront IT Departments with a<br />
variety of devices, brands and users and a<br />
veritable kaleidoscope of data that can be<br />
difficult to manage. You’re not only adopting<br />
your employees’ devices, but often the services<br />
and Apps that they regularly use as well.<br />
Let’s be clear that BYOD isn’t going away<br />
anytime soon. The corporate perimeter is<br />
already heading out of sight. Workforces are<br />
increasingly mobile and dispersed with the rise<br />
of networked technology and the proliferation<br />
of ‘Work at Home’ policies. It’s a trend that will<br />
be hard to fight. A study by analyst Gartner<br />
shows that, by the end of this year, 50% of<br />
companies will require employees to use their<br />
own devices for work-related tasks.<br />
BYOD: the central considerations<br />
So what do organisations need to think about<br />
on the path towards BYOD? Compliance<br />
considerations must come before the first draft<br />
of any BYOD policy. Industry regulations and<br />
standards must be understood along with the<br />
issues that concern your specific sector when it<br />
comes to IT.<br />
In the healthcare sector, for example, BYOD<br />
policy needs to take into account the great<br />
wealth of intimately personal data that will flow<br />
through users’ devices. For engineering, the<br />
policy must recognise the value of the<br />
Intellectual Property with which members of<br />
staff are engaged on a daily basis.<br />
All of this becomes especially important for<br />
European organisations, who will soon face the<br />
daunting compliance challenge of the EU’s<br />
General Data Protection Regulation (GDPR),<br />
which comes into effect in May 2018. The raft of<br />
requirements it will introduce are all backed up<br />
by a hefty 4% penalty on global revenue for<br />
particularly delinquent proven offenders.<br />
Survey results published by Strategy<br />
Analytics have shown increasing fears around<br />
BYOD on the part of European businesses, with<br />
10% of those professionals quizzed suggesting<br />
they expect the use of BYOD-enabled tablets to<br />
decrease with the advent of the GDPR.<br />
The GDPR need not become a hindrance to<br />
BYOD adoption, but it does mean organisations<br />
that want to allow mobile IT will have to be all<br />
the more diligent when it comes to<br />
implementation. Even if drafting a policy proves<br />
cumbersome, not having one in place will not<br />
stop employees from using enterprise IT on<br />
their own devices. It will merely leave the<br />
business without a structure to accommodate<br />
this and risks compliance problems at some<br />
juncture further down the line.<br />
Opening up to risk<br />
“There are always going to be some businesses<br />
for whom BYOD is inappropriate,” explained<br />
Vince Warrington, founder of Protective<br />
Intelligence, a consultancy that advises<br />
companies on security. “There are always going<br />
to be people who struggle with not being able<br />
to take their work laptop home, especially if<br />
they need to work late or across a weekend to<br />
meet deadlines. What they’re more likely to do<br />
is e-mail their work to themselves, thus<br />
opening up the enterprise to security risks.”<br />
24<br />
www.risk-uk.com