In June this year, legislation came into force giving all employees – not just parents and carers- the legal right to request flexible working. More and more people are working flexibly, be it from home, the coffee shop or the train, as employers recognise the benefit of adapting working arrangements to suit a more flexible method of juggling the demands of work and life.
More employees are therefore using their own personal mobile devices for work, which meansemployersare seeing the need fora Bring Your Own Device (BYOD) policy. The problem is that many HR departments aren’t aware of the very serious security implications.
Jon Holttum, director of software company Spaggetti and founder of The Open Mobile Security Alliance (OMSA), described BYOD as "hackers’ easiest way into your company via your employees’ pockets or handbags", and it is true. Research has predicted that by 2017 over half of all employers will require or allow employees to supply their own device for work, which will therefore mean a major security headache.
The line between security and privacy is a challenging one to draw; no employee wants to feel that their employer is able to access their personal data if they use their own device for work,but the danger is very real for those companies. If you think about the numerous passwords, keyfobs and secure network loops you jump through on a daily basis to log into your work email (often without realising), do you do the same on your mobile device?
The answer is probably no.
I believe the key is for IT departments and HR departments to work more closely together and develop policies that protect both theorganisation and the individual. HR cannot do this without IT and vice versa – employers look to HR to create, implement and enforce policies, but in the case of BYOD, these policies will only be fit for purpose if they meet the very technical security requirements. Only an IT expert can explain this in a way that brings it to life, so the workforce can understand what is needed – and why. The two departments will need to collaborate to make it work well.
If handled correctly BYOD can increase productivity, flexibility and lead to a more productive and engaged workforce. Here are fourtips from Vista andOMSA, whether you are starting from scratch or reviewing your BYOD policy and approach:
1. Communication: as outlined above, it is vital that all elements of the organisation are working in harmony to shape policy, and this can be best achieved through good qualityinternal communication and sharing of expertise. Neither of the key players in this (IT and HR departments) is likely to fully understand all the issues exclusively. Also, it is important to have a strategy for communicating the importance of your BYOD policy out to all employees. For example, circulating a factsheet on how to get the most out of your device’s security featuresis something worth considering. Set out your expectations of when and how you can have access to your employees’ devices in the policy.
2. Enterprise App Container: it is possible, very simply, to segregate personal and work-related apps and data on the same device. All enterprise apps can be kept in a "container": a virtual, hermetically sealed compartment, with its own passwords and no connection to the rest of the private apps and data on the device. Ask your staff to allow this on their devices as a condition of them being allowed to use their own device for work.
3. Rogue/Unauthorised Apps: free game downloads are a classic Trojan Horse, behind which a sneaky piece of code can be installed on your device which harvests passwords, card numbers, transactions and other data and sends it to remote gangsters. Since you can’t reasonably ban people from installing games on their own devices, there are certain things you can train all staff to look out for. Sometimes a different app will pop up alongside the one you are downloading, (side-loading). It may be something as innocent as a plugin to make the app compatible but it could just as easily be dangerous.You may wish to create some guidelines for your employees about downloading apps and include a term in your policy that requires your employees to follow it.
4. Social networks: whatever your organisation’s policy on social media (as with security, not having a policy is no longer an option), there are two mobile security issues to consider here.
First, assuming your staff are authorised to communicate via social networks on behalf of the company, imagine the consequences if an unauthorised person were to hack their account or steal their device and post something defamatory, discriminatory or otherwise reputation-wrecking.
There is also a more direct security issue. Whenever an individual is connected, theoretically there is a path for a criminal to hack into your data.
Lots of apps now require you to sign in via Twitter or Facebook, which many people might automatically allow despite not knowing the credentials of the app.
Your mobile security policy, and the HR and training procedures that enforce it, should encourage all to be more vigilant and aware of risks like these, and should include simple steps such as requiring staff to close a social applicationbefore using a company application..
Whether basic or highly technical, the challenge with creating a BYOD policyis quite simply to make staff understand why they need to care about these issues. If IT and HR understand each others’ issues and perspectives, this will be achieved.
OMSA haslaunched a free advice helpline for businesses worried about mobile security issues, which can be contacted on 0844 500 8836