FRAUD FACTSIssue 23 June 2014 INFORMATION FOR ORGANISATIONS

Bring your own device (BYOD) policiesOrganisations are increasingly allowing staff to connect to their corporate network using their ownpersonal devices. This factsheet highlights some of the security issues that should be consideredand safeguarded against when adopting such an approach.

individual and/or department withsufficient authority, such as a director orsenior manager within the IT department.

Communicating your policy

All staff, contractors, consultants andfreelancers should be made aware of yourBYOD policy. Actively and regularlypromote the policy to staff throughout theorganisation – irrespective of grade,position or length of service.

Reviewing your policy

Technology changes rapidly. It is essential that you review your BYOD policy regularly to ensure that it remains relevant andeffective.

Key security considerations

Before introducing a BYOD policy it isimportant that your business has well-managed and appropriate informationsecurity policies and procedures in place.Consider the legal risks and seek advice from an IT, data protection or othersuitably qualified professional whereappropriate.

Key issues to be considered are outlinedbelow.

Help and support

Technical support may be required when staff connect to the network using theirown device. This could involve activatingdesktop security settings (eg, screen lock),encryption and firewalls, installing remotedesktop clients and a Virtual PrivateNetwork (VPN) connection.

Publish a list of supported devices and thesecurity steps that staff must take for eachdevice. All staff should access the networkusing a unique username and a strongpassword.

Introduction

Organisations are increasingly allowing staff to connect to their corporate networkusing their personally owned electronicdevices. Such an approach can beadvantageous, boosting productivity andenabling staff to work while travelling oraway from their desk. However, businessesshould be aware that there are importantsecurity issues around the use of personaldevices for work purposes, and these needto be carefully considered and safeguardedagainst.

Some of the risks associated with allowingstaff to use their personal devices for workpurposes include (but are not limited to):

• loss or theft of staff-owned personaldevices that contain businessinformation;

• inadequate controls for unauthorisedprograms (such as apps, instantmessaging, file sharing and ‘paste bins’)which may result in accidental dataleakage and security vulnerabilities(malware);

• deliberate and/or malicious theft ofbusiness information and intellectualproperty;

• non-compliance or breaches ofapplicable laws, regulations and/orbusiness policies (such as data protectionand Payment Card Industry Data SecurityStandards); and

• insurance and IT security policies maybecome more complex and costly tomanage.

In addition, it can be very difficult to tellstaff what they can and cannot do withtheir own devices in their own time.

What is a BYOD policy?

A ‘Bring Your Own Device’ (BYOD) policy sets the standards, procedures and

restrictions applicable to staff who use theirpersonally owned devices to connect to thecorporate network from home, at work orwhile travelling for business purposes. Itaims to protect your business (and yourstaff) from accidental and deliberateinformation security breaches.

An effective BYOD policy should be simple,concise and easily understood. As aminimum it should explain:

• who the policy applies to (eg, staff,contractors/consultants/freelancers);

• which devices can be used (eg, laptops,tablets, smartphones);

• what services and/or information (data) can be accessed (eg, email, calendars,contacts);

• the responsibilities of the employer andstaff member (including for securitymeasures that need to be adopted);

• which applications (apps) can/cannot beinstalled (eg, for social media browsing,sharing or opening files etc);

• what help and support is available from IT staff; and

• the penalties for non-compliance (eg, privilege revocation and otherdisciplinary procedures).

Before staff are allowed to use theirpersonal devices for work purposes theyshould agree to adhere to the requirementsset out in the BYOD policy.

Whom should it cover?

Your policy should cover all full- and part-time staff who want to use their personaldevices to access business systems andinformation. It should also coverconsultants, contractors and freelancers.

Designating responsibility

Designate oversight for the policy to an

Sign-off procedure

Ensure each BYOD device is compliant withsecurity policies before granting networkaccess. Decide how this is done: either face to face or through the use of remote accesstechnology. Ask staff to agree to varioussecurity provisions during the sign-offprocess (such as secure wipe settings).

Make it mandatory for staff to report lost orstolen personal devices and any suspecteddata breaches immediately to your IT/dataprotection department who can instigateactions to remotely wipe or protect the loss of business data.

Data classification

Categorise business information into public(eg, press releases), internal (eg, contactlists) and confidential data (eg, client orcustomer data). Use controls to limit theopportunities for confidential data loss bylinking classification to your informationand network security policies.

Information security

All staff should be asked to sign a securitypolicy that prohibits the retention ofconfidential business data on personaldevices (whether encrypted or decrypted).Limit staff access to data to a ‘need toknow’ basis.

Link your BYOD policy to your Acceptable Use Policy (AUP) which asks staff not toconnect to unacceptable, objectionable orillegal websites or engage in inappropriatebehaviour through a VPN connection madeaccessible via a personal device (eg, usingsocial media to post abusive content).Where possible, block access to high-riskwebsites via the VPN by using firewallaccept and deny rules.

Consider including in employmentcontracts the disciplinary action that will betaken for policy breaches.

Always act on advice published by theInformation Commissioner’s Office (ICO)when reviewing security policies. Dataprotection must be taken seriously by all

concerned. Remember: your business mustnever have access to any personal datastored on a BYOD device.

Network security

Ideally staff should access businessresources through a virtual desktop thatprohibits the download of any documentto their personal hard drive. Personaldevices should be considered ‘untrusted’and given limited access to networkresources. This can be done using DynamicHost Configuration Protocol (DHCP).Access to limited network resources anddata can be granted to untrusted devicesthrough network separation and firewallrules.

Security management

Changes to network security policies mayresult in new vulnerabilities. Make sure thatremote and virtual desktop applications aremonitored and regularly patched. Criticalsecurity holes should be patched on a risk-sensitive basis (including a zero-day fix rulefor emergency updates). All personaldevices will need security management,vulnerability scanning and updates asrequired.

Leavers policy

Ensure your staff leavers policy allows your IT department to retain a copy of allbusiness-related email communications anddocuments created by the leaver, whilstensuring no copies are retained by anyindividual or personal device (eg, byperforming an ‘exit’ wipe). Network accessshould be revoked immediately. Unlessyour business retains full control oversecurity settings this may be challenging.

Hallmarks of an effective policy

DO:

4 Make staff and consultants aware of yourBYOD policy. Actively and regularlypromote it throughout the organisation to staff – irrespective of grade, position or length of service.

4 Require staff to set a strong PIN orpassword on the device. Passwords should contain a combination of letters,numbers and other characters, and bedifficult to guess.

4 Ensure that you have the right to wipe thecontent on devices that are lost or stolen.Provide guidance for staff on how to backup their personal content so that it can berestored to a new device.

4 Designate responsibility for oversight ofyour BYOD policy to an individual and/ordepartment with sufficient authority.

4 Review the policy on a regular basis.Update it to reflect technologicaladvances and changes to businessactivities.

DO NOT:

7 Expect staff to be aware of the policywithout telling them it exists.

7 Introduce a BYOD policy and fail to followup on it.

7 Expect that the existence of a policy aloneis enough to prevent fraud or loss ofbusiness information.

Further information

See our separate fraud factsheets on CloudComputing, and An Introduction to FraudRisk Management for more information.

Fraud Advisory Panelwww.fraudadvisorypanel.org

Get Safe Onlinewww.getsafeonline.org

Information Commissioner’s Officewww.ico.org.uk

PCI Security Standards Councilwww.pcisecuritystandards.org

Fraud Advisory Panel, Chartered Accountants’ Hall, Moorgate Place, London EC2R 6EA.Tel: 020 7920 8721, Fax: 020 7920 8545, Email: info@fraudadvisorypanel.org.Company Limited by Guarantee Registered in England and Wales No. 04327390Registered Charity No. 1108863

27052014 FRAUD FACTS Issue 23 June 2014

www.fraudadvisorypanel.org

Distributed by

© Fraud Advisory Panel 2014

All rights reserved. If you want to reproduce or redistribute any of the material in this publication, you should firstget the Fraud Advisory Panel’s permission in writing. The Fraud Advisory Panel and the contributors will not beliable for any reliance you place on the information in this Fraud Facts. You should seek independent advice.

The Fraud Advisory Panel gratefullyacknowledges as the main contributorSeona Devaney (Frisk Online) in thepreparation of this Fraud Facts.