People don’t always use virus protection or spam filters on personal computers. If you connect to a corporate network from an insecure personal device, you are opening up that network to a potentially global threat.
Companies are putting themselves at risk by failing to implement appropriate ‘bring-your-own-device’ security policies, according to PHS Datashred’s Caroline Williams...
Laptops, tablets and smartphones have altered the daily lives of countless citizens. Accessing the internet whilst on the move has become second nature to many, and users have grown accustomed to working with the same media across multiple devices.
Cloud computing is a term widely used to denote the ability to connect and to synchronise multiple devices over a network. In combination with the advent of smart devices, 'the cloud’ has transformed the way in which we utilise and interact with computers.
Not only has this new level of connectivity altered how we use technology for social purposes, but it has also transformed how we work professionally. In the current era of austerity, companies are looking to get the most out of their workforces, and in the interests of increased productivity, many have allowed a ‘bring-your-own-device’ (BYOD) culture to emerge.
Today, workers connect their personal smart devices to their employer’s networks, synchronising the way in which they operate but also blurring the line between professional and social use. Whilst this trend has enhanced the capacity of employees to work remotely, it has also resulted in a number of security concerns.
To learn more about the threats posed by the BYOD culture and to find out how companies can guard against potential cyber attacks, I spoke to industry expert Caroline Williams from PHS Datashred...
Could you begin by outlining a few of the benefits offered by the BYOD trend? Why has industry allowed this culture to emerge?
Businesses are doing all that they can to be as competitive as possible, especially within the context of today’s challenging economic environment. This focus has resulted in a shift towards flexible working hours and working arrangements. One side effect of this situation has been an increase in the number of people working from home.
Employees are connecting to company networks using home PCs and other personal devices. When they return to the office, they are sharing documents between personal computers and office desktops. This leaves corporate networks vulnerable to attack. No longer is access limited to company computers; employees are using personal laptops, tablets and smartphones for work purposes, and companies have no control over the level of security employed by these devices.
Are cost savings also a consideration? Is the BYOD culture reducing the need for companies to invest in new hardware?
Williams contends that the ‘bring-your-own-device’ culture will pose the next major threat to corporate computer security
That isn’t something that our experience has shown. Traditionally, businesses have preferred to retain control over the devices used by their employees. In my opinion, the issue is that when companies provide PCs for their workers, they tend to opt for the most cost-effective products. However, workers prefer to use more technologically advanced devices. Many people see laptops, tablets and smartphones as more exciting and attractive than their conventional office desktops. I think that employees have been the predominant driving force behind the emergence of the BYOD culture. Given the choice, most businesses would probably prefer their workers to use standard, cost-effective devices.
Is this where the line between professional and social use is becoming blurred? What, in your opinion, are the major threats posed by workers connecting personal devices to corporate networks?
The dangers are clear to see. People are sharing content between personal devices and company computers. From a cyber-security perspective, personal computers are potentially dangerous devices purely because individuals don’t tend to take the same security precautions that businesses do. People don’t always use virus protection or spam filters on personal computers. If you connect to a corporate network from an insecure personal device, you are opening up that network to a potentially global threat. This makes it a lot easier for somebody to hack into your employer’s mainframe.
Is it the case that companies are generally unaware of the threats posed by the BYOD culture? Do we need to raise awareness about this issue?
It is absolutely vital for us to raise awareness. On the whole, businesses are really good at considering the large-scale issues of cyber security. However, this is a rapidly moving sector and some IT security professionals struggle to keep up. Legislation is also slow to react to new threats.
People are always writing new and ingenious programmes to exploit the weaknesses in cyber-security software. These programmes are often developed to facilitate nefarious activities such as fraud, but people also write them just because they can. This is a fairly new phenomenon and it is constantly evolving. The law is simply too slow to react. It can take years for policymakers to implement new legislation, and in that time, the situation might have completely shifted.
This problem is perfectly illustrated by data protection legislation within the European Union (EU). 18 months ago, it was announced that there would be an update to European data protection regulations in the form of the EU Privacy Directive. This was supposed to be launched in spring of this year, yet it is still nowhere near ready. It’s probably going to be another year before the legislation is implemented.
In a fast-moving sector like cyber security, this simply isn’t good enough. By the time the legislation comes into effect, there will be another threat with which to contend. Over the last 10 to 15 years, we have struggled to deal with a whole host of security issues. It wasn’t all that long ago that paper-based security represented the most significant threat; just look how things have changed. I think that the BYOD culture is going to be ‘the next big thing’ when it comes to cyber security.
So, what can businesses do to protect themselves against the associated dangers of the BYOD trend? Is it possible to simultaneously reap the benefits offered by this culture and maintain cyber security?
Yes, absolutely. The first thing for any business to do is to quickly but effectively implement some sort of data protection policy. This is important for many reasons. Not only will it educate employees about the potential dangers of bringing their own devices to work, but it will also provide central, cohesive guidance on the precautions that should be taken. All employees should be involved in this process. If you want to encourage people to bring their own devices, you need to advise them as to what constitutes acceptable use. Obviously, checks must be in place to ensure that correct procedures are followed, but employees should also be made aware of the potential problems that can arise from failure to comply with best practice. Education is crucial.
Secondly, companies need to invest in data security. They can do this either through outsourcing or by employing qualified in-house staff. If a business is looking to outsource, it should take care to ensure that its supplier is fully accredited. If a company fails to take sufficient measures to check its supplier’s credentials, it can be held accountable for anything that this service provider does or doesn’t do.
Even so, through a combination of thorough education and robust data protection measures, businesses can take advantage of the increased productivity offered by the BYOD culture whilst maintaining the security of their systems.