Bring Your Own Device (BYOD)

BYOD policies are gaining prominence as organisations look to take advantage of increasing enterprise mobility – using mobile technology to enable employees to work and connect from anywhere, at any time.  

Enterprise mobility can create great opportunities for organisations to improve their customer service, business efficiency and productivity over time.

However, with the increase in mobile device usage and remote and flexible working, many businesses are finding that staff now expect to be able to use their own devices for work.

BYOD introduces new risks to an organisation’s business and its information security. You should consider these risks carefully before implementing a BYOD policy for your organisation. 

How to approach implementing a BYOD policy

The Australian Signals Directorate (ASD) summarises the main security risks of BYOD with the four ‘P’s of enterprise mobility:

• Purpose
• Planning
• Policy, and
• Polish.

Purpose

It’s important to take a risk management approach to implementing enterprise mobility.

Organisations should use a risk management process to balance the benefits of BYOD with any associated business and security risks. You’ll need to decide if letting staff use their own devices to access and distribute your company’s information is justified or not.

Planning  

Make sure you consider the different options available and make an informed decision. For example, consider:

• which users require enterprise mobility either via agency-owned or personally owned devices, and  
• what information these users will need access to, and how they’ll access it.  

Policy

Develop and communicate a sound BYOD usage policy based on the risk assessment and business case. The policy should clearly explain expected behaviour for employees and establish the financial and technical support they can expect to receive.  

The most effective scenarios are jointly developed by:

• business and legal representatives,  
• IT security staff,
• system administrators, and  
• the employees themselves.  

Including all these groups will ensure your organisation is able to develop a realistic policy and process that all stakeholders are willing to adhere to.

Polish

You should review the usage policies for your organisation and monitor your BYOD scheme regularly. 

Legal, financial and security implications of BYOD.

Legal implications  

Legislation, such as the Privacy Act 2020, can affect whether an organisation is able to implement BYOD in their environment and, if so, what controls need to be implemented to ensure they fulfil their legal obligations. BYOD can increase an organisation’s liability.  

If you implement a BYOD policy for your organisation, you’ll need to make sure it’s ready to manage issues like:

• software licensing,
• inadvertent damage to an employee's personal data,
• expectations of privacy in the event of an investigation, Official Information Act request, or
• incident response.  

Financial implications  

Organisations implementing BYOD may benefit from reduced hardware costs if employees pay for their own devices. However, BYOD can often result in an overall increase in costs for an organisation, as it may need to:

• technically support a wider variety of devices,
• manage security breaches, and
• cover some of the costs associated with an employee's device.  

Security implications  

It’s hard to be confident in the integrity and security of devices when you don’t manage them yourself. It may be your staff who keep these devices updated, and control what software is on the device. As such, there are several security implications to consider before implementing BYOD in your organisation.  

For example:

• employee devices storing unprotected sensitive data could be lost or stolen,
• employees could use unapproved applications and cloud services to handle sensitive data, and
• employees may lack the IT knowledge and motivation to reduce security risks to their devices. 

Additional considerations

It’s worth spending some time with your IT security team, to ensure you can answer the following questions as they relate to your organisation.

Protecting sensitive or classified information from unauthorised access 
Does the organisation keep sensitive or classified information in a data centre instead of on an employee’s device – for example, through a remote virtual desktop?  

Protecting information on a corporate network  

• Does the organisation limit and audit the use of BYOD on the corporate network?  
• Is multi-factor authentication used for remote access?

Protecting the device and associated network from malicious software.

• Is an employee’s personal operating environment separated from the work environment on their device – for example, using a managed container?  
• Does the organisation require security patching, and limit privileges and access to corporate information from BYOD?

Reducing the risk caused by lost or stolen devices.

• Does your organisation have the technical and legal ability, and user agreement, to remotely locate or wipe a device?  
• Are employees required to regularly backup work data from their device to agency sanctioned backup servers?  

 The New Zealand Information Security Manual (NZISM) provides information about the appropriate security controls for BYOD which can help your organisation to take appropriate steps to manage any risks it may introduce.

Section 21.4. Non-Agency Owned Devices and Bring Your Own Device (BYOD) – NZISM External Link

Further information

Device security guidance: Bring your own device (BYOD) – NCSC UK External Link