BYOD Brings Benefits, but Don’t Ignore the Risks: ISF

By Michelle Maisto

Whether an individual or the organization owns a device is a detail with important consequences. Still, many organizations haven’t addressed the matter yet, said ISF in its new report, “A Practical and Effective Approach to BYOD.”

Considerations should include day-to-day management and device end-of-life (will the user sell it?); where the user takes the device and who has access to it (is it used in a bar? do the kids get to play with it?); and what level of respect is it shown (is it treated less carefully than a user-owned device? is it used to access inappropriate content?).

Focusing on securing information, not devices, as a guiding principle for considering risk within a BYOD program “can bring a great deal of clarity to decision making,” says the ISF report. Focus on usability and scalability, not device-specific measures.

Some risk will have to be involved. Consider the need for, and costs of, training employees and educating them, says the ISF. Also, “clarify the balance to be struck between trust-based policy controls and technical controls.”

Consider which groups will be using which sensitive information, advises the ISF. While some risks will need to be accepted, identify which are “outside the organization’s appetite” and “have them signed off and recorded in the risk register.”

Organizations may find it inappropriate to add particular controls to a device they don’t own—which will lead it toward policy controls, which are generally less effective. In return for implementing a BYOD program, an organization may just have to accept greater risk in some areas, says the ISF.

Organizations need to consider what’s within their rights to monitor, or even to record. Also, is personal information protected along with business content, and if not, have employees been made aware of this?

An organization should ask itself whether training and awareness alone are appropriate to the risks taken. Further, are there ways to enforce an acceptable-use policy? And, are the controls in place encroaching on the benefits of using a personal device for business?

Organizations that have deployed laptops, and worked with contractors and other parties that have brought in their own laptops, shouldn’t ignore the lessons learned from those experiences. Consider using a “laptop test,” asking, “Do we implement this control for laptops?” states the ISF report.

Clarifying where an organization stands can include undertaking a “high-level risk assessment that can form the basis for future deployments,” states the report. Another way is to “compile and deploy an overall BYOD policy and acceptable-use policy.”

“A well-organized attack … can exploit BYOD devices by using them as a stepping-stone of an attack against an organization,” says ISF CEO Michael de Crespigny. “BYOD initiatives present considerable challenges, and today’s executive must embrace these technologies or risk being sidelined by those more agile.”