In early October, the UK government updated a collection of guidance notes they had issued on ‘bring your own device’ initiatives (BYOD). Given the increase in employees using their personal devices to connect to their employers’ systems, employers in both the private and public sector will welcome this guidance.
The ‘BYOD Guidance: Executive Summary’ describes eight key security aspects for businesses to consider “to maximise the business benefits of BYOD whilst minimising the risks.”
In order to design the organisation’s security network effectively to minimise these risks, the ‘BYOD Guidance: Device Security Consideration’ document recommends that organisations consider authentication and protection for data in transit and for data at rest. To protect internal services from attack via personally owned devices, the ‘BYOD Guidance: Enterprise Considerations’ document provides various recommendations, including a ‘walled garden architecture’ approach which involves four steps to help protect an organisation’s network.
To help organisations decide on the most suitable architectural approach to best match their business, cost, and security requirements, the ‘BYOD Guidance: Architectural Approaches’ document explores common BYOD scenarios and associated risks that an organisation may face when using personally owned devices to access enterprise services and data. These new government guidance notes include information tailored to different operating systems.
The Communications Electronics Security Group recommends that the collection of guidance notes be read in conjunction with the guidance on ‘bring your own device’ issued by the ICO in March 2013, which we reported on in March 2013.
While the cost of BYOD controls can be substantial, those costs may pale in comparison with the reputational damage caused by serious data breaches, or the loss of an organisation’s proprietary and confidential information. Furthermore, in the event of a serious data breach, the Information Commissioner’s Office may use its enforcement powers to issue a monetary penalty of up to £500,000.