RSM South Africa

The need for concern over BYOD

Over recent years, you would have heard the term BYOD mentioned with increased frequency. So it would be natural to ask oneself: “What is BYOD, and why is it garnering so much attention?”

BYOD is an Information Technology acronym that stands for “Bring Your Own Device”. It applies when an employee utilises his/her personal device, be it a smartphone, tablet or personal laptop, to access their organisation’s network, data and systems. It is the aforementioned access that poses threats to information security.

The above threat exists because the personal device being used by the user to access the organisation’s network and the data stored therein is just that, a personal device. It is owned by the employee and not the organisation, and the organisation has no control over how, where, when or by whom the device is used.

At this point many of you may think that BYOD does not apply to you, you do not use your personal laptops to perform work related tasks or access the organisation’s network. To this my reply would be: “Do you own a smartphone or tablet, and if so do you access your corporate email account via this device?”

One of the most common forms of unmanaged BYOD usage is access to corporate email accounts from personal devices. A user may not think that this is a problem, however consider the confidentiality and sensitivity of the information communicated via email, and what the consequences would be if that information got into the wrong person’s possession. You might now have a different view. In addition to the aforementioned example, consider some of the following scenarios?

  • Do you utilise your personal mobile device to access the companies Wi-Fi network? Examples of such usage may be for remotely accessing the organisation’s server or downloading or updating applications.
  • Is the information stored on your device not encrypted?
  • Do you leave your Bluetooth on these devices on?
  • Is your device set up to not require secure authentication? (a pin code or password)
  • Is there no anti-virus application installed on your device?

If you answered yes to any of the above questions and the personal mobile device is lost, stolen or even hacked the security of the data stored on these devices as well as the security of the network connections to corporate and private networks is compromised.

The aforementioned threat posed by a BYOD culture can be managed by an effective BYOD policy which includes adequate controls for the securing of mobile devices.

For organisations that allow the practice of BYOD, it should be noted that although the organisation does not own the personal devices that may be used by the employees, it does not then mean that they have no control over the access that these devices have to the organisation data. Organisations can implement a BYOD policy that makes the implementation of security controls on these personal devices a requirement for access to an organisations network, data and systems.

Failure by organisations to consider the impact of unmanaged BYOD usage, and the absence of an effective BYOD policy can pose a significant threat to an organisation’s sensitive data and its networks.

Thilen Pillay

Manager | Risk Advisory Services, Johannesburg

Also read: Cybersecurity takes centre stage