“Bring your own Device” only works without risk to the company if the use of private mobile devices for business purposes is clearly regulated and based on a comprehensive strategy.
Text: Urs Binder, Image: Strandperle,
Personal devices are part of everyday life for virtually all of us. What, then, is more natural than to use your own smartphone, tablet or laptop for business purposes as well – after all, you don’t always want to carry around two of the same device just to make business as well as private calls or to have access to company documents while travelling. And, as market researchers from MSM Research found out in a recent survey, mobility is one of the most important topics in ICT in Switzerland, as elsewhere.
“Bring your own Device” (BYOD) is often initiated by employees and presents various challenges for the whole company. Management, organisation and technology are equally called upon to prevent the uncontrolled proliferation of devices brought in by employees, which entails considerable security risks. With BYOD, companies are experiencing new working methods, and the culture is changing. This fact alone means that BYOD cannot be allowed to remain a simply technical issue; instead, it must be borne by management and embedded in the organisation right from the start.
The question of how the devices should be integrated into the company network always arises; however, this is only one of many issues. Without a strategy which is adapted to the company situation, and without clearly formulated rules, the expected advantages of BYOD – increased productivity and employee satisfaction, improved cooperation and, last but not least, cost saving by eliminating company devices – will not come into effect.
Specifically, BYOD affects several levels in the company:
One thing is clear: private and company usage must be separated on the mobile devices. This is because people are generally less careful about how they deal with private data, whereas business information requires greater security: it is often confidential and subject to certain legal framework conditions. It usually requires data storage in Switzerland – and not, for example, storage in Dropbox or another cloud solution whose server is located outside Switzerland.
Two separate approaches are pursued to ensure this separation. Either the devices are looked after by a Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solution. A strictly separated area for business use is installed on the device. Exchange of data between the private and business areas is prevented. But even if MDM and EMM present adequate security, business data are still located on a device which can potentially be hacked.
The second approach involves a sophisticated onboarding process for new devices. The users are supported by a digital assistant which secures compliance with password and other governance directives, as well as the configuration of the device. Separation between private and business use is guaranteed by a virtual workplace: business applications and business data are only accessible via access to this virtual desktop, which is secured by strong authentication. All the data are kept in the cloud and are available independently of time or place. If possible, no business data are stored locally on the device.
For the purposes of BYOD, security has two meanings: firstly, the secure, encrypted access from personal devices to the company’s network, supported by strong authentication and a suitably adapted ICT security strategy.
Secondly, the security of the data: only authorised persons are allowed access. In order to ensure this, the company has to know which data are there in the first place. On this basis, the data can be classified according to their confidentiality. Depending on classification, the employees then require different strengths of authentication – for non-confidential, general information, for example, a user ID and password are sufficient, whereas documents including customer data have to be secured with at least one further authentication factor.
At the same time, it is indispensable to sensitise employees continually about security aspects with training and tests – as well as technological aspects, they need to know where it is permissible to work with confidential information and where it is not.
Comprehensive security is, for instance, essential for legal reasons. According to Article 7 of the current Swiss Data Protection Act, the employer must ensure data security by means of suitable technological and organisational measures.
First, give careful consideration to the value that the different data represent to the company. Work out a concept for classification of information and documents.
Work out a clear, codified BYOD policy for employees.
You should only create the technical requirements after it is clear how your company will regulate BYOD.
More on the topic