BCS recently held a roundtable debate to discuss the security implications of the ‘bring your own device’ approach (BYOD). The debate was chaired by Brian Runciman MBCS with Louise Bennett FBCS CITP, Chair of the BCS Security Community of Expertise and Henry Tucker MBCS, Editor-in-Chief of ITNOW.

Why are organisations pursuing these sorts of policies now?

LB: I think they are pursuing them for three reasons. One is that staff like it because frequently they have better, more intuitive devices of their own at home than they are given at work. Second, because it can actually work out cheaper and thirdly for productivity reasons.

Do you think that an organisation takes this sort of approach is more attractive to people when they are being recruited?

HT: I think so because everybody just wants the tools to get their job done. You don’t want any obstacles that stop you getting your work out as quickly and effectively as you can.

So if you’ve got a phone that, for example, you can’t access your email very easily on, you’re going to sync your phone. Perhaps you have an iPhone or whatever - you will sync your work email on your personal device.

Obviously the issues we are concerned with here are the security issues involved. One of the articles I read when doing research mentioned a kind of plug and play mindset. So for the IT department, what does a plug and play mindset cause for them?

LB: I think that the question of security is always one of having the security that is appropriate for whatever your business is. So different businesses will need to do different things. I think from a security perspective you’ve got to look at the risks to your organisation. You’ve got to make clear decisions about what you’re going to allow people to do on their own devices and have a policy that supports that. And this is not impossible, an increasing number of companies are actually producing data that allows you to have a federation of lots of different devices.

I think some of the key things are that you have got to use encryption properly, you’ve probably got to partition the individual’s own device so that there is a partition that has your work on it and another that has your personal things on it so that they are separated.

HT: A while ago I spoke to a company that produces software to partition devices and basically they were saying that when an IT department would install this on your own phone the person would then have to sign something to say that they agree they are using their own phone for business use, but that should they lose it, everything on that device would be wiped.

Because they are bringing the device into the company, effectively between 9 to 5, it becomes a company device and therefore a company liability. Is this is as much a policy/HR procedure as a security/ IT issue?

LB: I think it is definitely a HR procedure, you have got to have people agreeing to do it. In many cases you can actually delete the things on the partition that you’ve got your work on, rather than everything, but I think in fact some individuals would be quite please to have everything wiped if they truly had lost their device. You hope that they have backed up their personal things in the same way that the work stuff is being backed up.

I read a survey recently that 20 per cent of mobile phones in this country get lost or stolen every year and most people haven’t got any kind of security on them at all, or any kind of backup, or even a PIN. So that’s the kind of thing people have got to do and be aware of.

HT: The IT department would need a variety of skills, not just Windows but also iOS and Mac and BlackBerry, as well as all the other flavours. You need to have a constant refreshing of the skills. These devices are changing every time you get an update for the operating system, whether it’s Android or iOS. There are new features, security or otherwise that they are constantly having to pick up. I think that it is changing the way that IT departments work.

This will have an impact on the levels of professionalism though, won’t it?

LB: Yes you do need good professional people and it needs to be done properly. So I think that is important. But I also think if you look at SMEs, they generally bring their own device to work and people in those companies haven’t got a lot of money to spend, they are run by their owners and they almost certainly use the same device both for work and for private things and they will probably have portioned that device before they started in some way.

You need to go about everything systematically, properly and have proper security both for your own things and for your business. You need to think very hard about whether you are going to give people access to everything.

Is there a requirement in terms of something more physical when people bring their own devices to work? Should there be spot checks to make sure that people have adequate security in place such as PINs?

LB: You have to insist on the appropriate level of security on anything that’s going to be work-related on the device. I don’t think you can impose good security on individuals in the way they run their own personal life, but I think that most people can be persuaded that it’s really quite simple and that having a PIN isn’t the end of the world or you can use a biometric.

HT: There are simple systems in place where you can enforce rules on people. For example, on our email system, if you set it up on a mobile phone it will insist on locking the phone with a PIN. It tells you that if you were to get this number wrong, a set number of times, then the device will be wiped.

You can force these issues on people and they are not draconian, 1984 style controls. They are very simple and I think all of us these days, when asked to create a four-digit PIN, can do so.

LB: I think that in reality, the reason that most people don’t put up reasonable security on their own devices is often because they don’t know how to or just want to get on and do it. On the whole it will probably improve people’s security of their own personal information on their devices by using it for work. They will probably up their game.

HT: It’s exactly what I did with my phone. I had my work phone with these security rules and I realised that my phone did the same and so I did it.

Different platforms different levels of security support though, don’t they?

LB: It requires clarity and understanding and it starts by understanding what level of security you need in your organisation. I think most larger organisations that allow people to bring their own device to work have a policy that states the default if they give you a device, if they think that you need to be operating in a mobile way, be it via a smartphone, laptop or whatever. If you want to use your own this is how it needs to be configured for this to work and we will support you in this fashion to do it.

They need to be quite clear in their own minds with each operating system what they need to do to achieve that. There are increasing numbers of products that will ensure that they put the level of security they want on section of the device that going to be used for business purposes.

What are the marks of the organisations who get this sort of thing right?

LB: What characterises them is that they have got a very clear, simple policy that all of their staff can understand that explains to people that they have access to sensitive data and they must behave in a certain way with it, so that they have all the staff with them. I think they need to make sure that whatever devices people are using it is easy to use them properly.

I remember years ago in the MoD we had a secure system called CHOtS. It was almost totally unusable so what happened was that everybody wrote all their classified documents outside it and only classified them and put them on the system when they were finished.

You have got to have security that is usable, intuitive and makes you do the right thing without enormous hassle. If you do that, people will follow it. People don’t actually want to lose data, they want to get on with their jobs and be as productive as possible.