More organizations than ever are looking for ways to cut overhead costs. Some are giving their employees the option to work remotely. Others are allowing them to use their personal devices (i.e. laptop, cell phone, etc.) to do their work on in place of a company-owned device.
Although adopting a Bring Your Own Device (BYOD) policy might allow your company to scale and pivot as you grow, it also comes with tremendous risk from the security front. With more global organizations choose to adopt these BYOD, they invariably come in contact with General Data Protection Regulations (GDPR) that ensure the protection of user data that flows through a company’s network.
As such, it would be best to consider developing an ironclad, yet flexible BYOD strategy to ensure your organization doesn’t get hurt by potential GDPR compliance mishaps. Let’s run through the potential issues with BYOD and GDPR and point you in the right direction towards keeping your network data safe while decreasing your risk for getting hefty GDPR compliance fines.
What’s the Deal with GDPR?
Ever since GDPR became law in the U.K. on May 25th, 2018, it has invariably increased the risks of BYOD in the workplace. As soon as GDPR was given the green light, it immediately enhanced the rights of individuals with regard to their data, increased the legal responsibility on businesses to keep consumer data secure. GDPR also gives the Information Commissioner’s Office (ICO), which is in charge of upholding information rights in the interest of the public, to fine organizations for breaches and noncompliance.
The same day that ICO was put in charge of policing GDPR consumer data rights they published guidance from the Data Protection Act 1998 as it relates to data protection issues for employers who adopt a BYOD approach. Unfortunately, this guidance has not yet been updated to take into account GDPR but many of the practical points it makes are still valid and useful.
BYOD and GDPR
All in all, GDPR is focused on visibility when it comes to consumer data. The ICO wants to know where their data is, where it’s going, and who has access to it at all times. Organizations with an absence of network level visibility due to operating in a BYOD environment also lack the understanding of where the data is as soon as an employee’s device walks out the door and outside their network.
Research from Sytonic from 2016 showed that even before GDPR was implemented, organizations were well aware of the security implications of a BYOD approach. The study found that 61% of respondents viewed mobile devices as less secure than fixed devices, but said that security measures aren’t always consistent.
According to the GDPR, the data controller must be in control of the data at all times. This act is made nearly impossible when the controller does not own the device that is accessing and/or storing the data from the company’s network. As the percent of mobile website traffic accelerates, IT teams are becoming considerably more concerned about how mobile devices are able to secure corporate data while also maintaining high visibility over the traffic that they are receiving.
BYOD Potential Risks and Benefits
A 2016 report from Tech Pro Research found that 59% of organizations allow employees to use their own devices for work purposes with another 13% of companies planning to allow BYOD use within the next year. As more research is released, businesses continue to see how their organization might benefit from integrating a BYOD approach to aid into their growth initiatives. Here are some of the most notable benefits and risks that businesses shoulder once they have integrated a BYOD approach in their organization.
BYOD has been shown to add an element of technology flexibility to organizations which is preferred for those companies that operate under extremely strict client deadlines. Most of the time, these companies don’t have a fixed budget to necessitate providing their employees, contractors, and freelancers their own desktop and laptop PC along with a mobile device (cell phone and tablet). Instead of locking down productivity to a single location, BYOD allows businesses to pursue a multitude of benefits such as:
- Increased flexibility and efficiency in working practices.
- Improved employee morale and job satisfaction.
- Reduced business costs as employees invest in their own devices.
When it comes to worker productivity, the embrace of BYOD has been a relatively good thing for businesses. Unfortunately, we live in a world where cyberthreats loom large and a single data breach could result in huge fines and reputational damage, which can leave enterprises in shambles if they do not prioritize network security in their BYOD strategy.
Even though employees believe that they are more productive and efficient when using not only their device of choice, but also their preferred software and apps, there are marketable risks to choosing this route over a more closed circuit cyber solution. The fact remains that we continue to see a boom in BYOD that is in line with the comparable upsurge in cyberattacks and data exploits from intellectual property stored on personal mobile devices.
Overall, the use of personal mobile devices for business purposes increases the risk of damage to a business’s:
- IT resources and communications systems.
- Confidential and proprietary information.
- Corporate business reputation to both clients and customers.
- Customer and employee data which can lead to class action lawsuits that can cripple companies.
As we can see, BYOD increases the risk of a breach on an organization’s data since IT teams aren’t able to get a handle on their employee’s device past the user’s API calls. If a malicious actor were to gain access to the device, they would then have the keys to the kingdom to all network information. A breach of this magnitude could be configured either through phishing the employees credentials, through a breach of the service itself or simply from an employee with malicious intent.
With BYOD, an organization’s platform becomes instantly fragmented to support the added devices to the network. This level of platform fragmentation in a BYOD model presents a tremendous security and support headache for any organization because it is nearly impossible to configure standardized platforms and services that ensure the sustained safety of user data.
This is where GDPR comes into play. Each data breach incident in a BYOD environment leaves the organization incapable of identifying the breach, remediating the threat, and notifying the proper authorities. Under GDPR, the company would be held liable for any and all of these compliance mishaps even in the event of employee negligence or malicious intent.
Data Security in the Hands of Employees
One of the most difficult but important decisions that BYOD places on an organization is hiring the right employees that understand how important data security is to the company. Handing control over to your employees means entrusting them to remain entirely vigilant, to self-educate, and make corporate security their priority, even over personal convenience or preference.
If employees are tasked with buying their own devices for the workplace, they might opt for low-cost models from manufacturers that may not make the most wise decisions. This is why it is extremely important for companies to do their research on finding the most compatible and secure devices for their employees to use and ensure that they are well trained on identifying malware and how to circumvent a breach.
The BYOD culture opens up a long series of system endpoints that form both potential entry points for attackers as well as additional data storage and access locations that need to be accounted for. Companies that do not maintain the necessary visibility and control on their employee’s devices at the data level risk exposing themselves to an exponentially higher risk of a data breach.
Possible Workarounds for BYOD Issues
When organizations issue a corporate phone to a new employee they monitor the device’s activity in line with their company policies in order to ensure the safety of its data from hackers. When the device is owned by the employee, however, it’s not that simple to gain that level of control. This is because a good portion of employees in a BYOD environment will most likely refuse to have a backdoor program installed on their device(s) monitor their online activity as that may be perceived as an invasion of their privacy.
Organizations that are looking to orchestrate BYOD policies have been known to implement device-level monitoring via Enterprise Mobility Management (EMM) tools that gives them application and device-level management control. Unfortunately, these tools are not a plug and play solution to all organizational data issues that occur with a BYOD policy as they can neglect network level control. This is why the best BYOD solutions are ones that offer diversified support on many levels for organizations looking to garner greater oversight into their data visibility via the development of a policy that is in-line with GDPR.
The BYOD GDPR Policy
Since the authors of GDPR legislation haven’t given divulged that much information on how to go about execution, business leaders may feel as though they are left in the dark as to how they can and should comply. It is for this reason that having a clear BYOD policy that is regularly audited and monitored for compliance is of paramount importance.
Educating employees in a way that they fully understand their responsibilities and how to fully connect their devices to the company IT systems will help you stay GDPR compliant in your BYOD environment. Alongside your BYOD policy, it would be best if your organization creates and maintains an Acceptable Use Policy that applies to all employees, interns, contractors, vendors and anyone using assets. This type of policy helps to minimize the risk of unauthorized or unlawful processing of data or the accidental loss or destruction of personal data.
A research report by Global Markets Insights Inc in 2016 found that the BYOD market is on target to reach nearly $367 billion in value by 2022 (that’s more than 10 times its $30 billion value in 2014). This increase in value for the BYOD market means that developing policies for mobile devices and cloud apps that are becoming much more complex every day is that much more important due to the expanded attack surface that could pose a myriad of security issues. This is why there must be a clear distinction between data collection and monitoring with the entire organization to ensure IT team support for the execution of new BYOD policy initiatives.
As teams continue to collaborate and communicate with each other on the organizational goals of BYOD and GDPR, they must also ensure that their actions are aligned with the terms for processes and technology defined by the stakeholders. Being able to see the potential risks of BYOD in real time with legacy IT isn’t really an option since the infrastructure is only meant to protect data that travels outside of the enterprise and into the cloud. This is why being able to assess these potential risks as holistically as possible will help your organization enforce your BYOD GDPR policies and provide unique data protection to every user.
Building an Effective BYOD Strategy
From a business perspective, enabling BYOD is an advantageous strategy. Allowing a range of devices to process personal data held by an organization comes with many benefits including improved employee job satisfaction, increased efficiency, and increased flexibility. While BYOD protocols have important benefits from an operational perspective, from a security standpoint, having a slew of additional devices connected to company networks creates a huge liability.
Part of any effective BYOD strategy needs to be ensuring ease of use that’s compatible with security protocols. Ensure that your employee’s user experience isn’t affected negatively by the implementation of stringent security protocols. It is also best to always have a company help desk at your employee’s disposal to make sure that if they were to get locked out of the network that it doesn’t cause a loss in their overall productivity.
GDPR requires companies to keep a tight handle on personal data stored collected from clients or face heavy fines. This is why it is extremely important to ensure that data on corporate computers and accounts has the same level of security as those handled on personal devices. This is exceedingly difficult and time-consuming to implement, but seeing that GDPR compliance isn’t exactly optional, we can see how the juice is worth the squeeze.
Somewhere down the line after you implement your BYOD policies, employees may begin to look for ways to circumvent your security protocols. It is at this point that BYOD strategies need to be supplemented with oversight protocols that allow the organization to maintain GDPR compliance as new regulations continue to be released and/or updated.
RSI Security is an expert in helping organization achieve GDPR compliance in all environments, whether or not your company has a BYOD policy. Contact us today!