Could BYOD Spell Disaster for Government Suppliers?

BYOD (Bring Your Own Device) is coming

The rapid expansion of workers using their own laptops, smart phones and tablets for work purposes, otherwise known as bring your own device (BYOD), may be putting Government contracts at risk. Whilst these companies are well within their rights to accept risks to their own information and services, they are not at liberty to take the same risks with information owned by the Government or services provided to the Government under some form of service level agreement.

Employees are ignoring corporate policy

Even when companies have addressed the BYOD phenomena by putting polices in place about what workers can and cannot do on these devices, the chances are that they are largely ignored.

A recent survey ( Fortinet – June 2012) of nearly 4,000 workers in their twenties revealed that although 42% recognised the risks to data loss and malicious threats, a third of respondents were still willing to bypass corporate security policies and controls and use their devices anyway.

When considered alongside the recent Ascentor survey ( Meet the Information Saboteurs – aka, your employees ) that indicated that more than half of the employees surveyed would deliberately use information to sabotage their employers company, the real risks of BYOD become sharply focussed.

6 steps to manage BYOD information risks

Although all companies should be doing something to address these information risks, those involved in Government contracts need to rely on more than just policies and procedures if they are going to keep their contracts and their reputation intact. They need to ensure that the information is protected so that it is not possible to be remotely accessed by any unauthorised device, no matter who owns it.

Government suppliers need to take steps now to address the risks associated with BYOD:

  1. Produce a BYOD policy that makes it clear that access to Government information or services is not allowed from personally owned devices;
  2. Communicate the policy widely and back it up in training sessions and team management meetings;
  3. Store Government information in trusted environments that have robust technical controls in place to restrict access to only authorised personnel and from authorised devices;
  4. Conduct internal network monitoring to provide assurance that information and services are not being put at risk either from direct access or from malicious threats;
  5. Review the company BYOD policy with the Government authority to ensure that it meets any contract requirements.
  6. Update government risk assessments associated with the provision of a service so that BYOD risks and counter measures are put in place.

Or else…..

Above all, Government suppliers must not ignore the situation. Loss of Government information and/or the interruption to a Government-provided service through a failure to deal with the expansion of BYOD may have serious consequences including:

  • Loss of contract;
  • Damage to reputation;
  • Expulsion from framework agreements;
  • Financial penalties including up to £0.5m from the Information Commissioners Officer for loss of personal data;
  • Potential for legal action.

Next steps

BYOD is not just a fad, it is an inevitability. People are becoming more and more attached to their own individual devices and are far more effective when allowed to work their own way. This is good news for businesses that embrace BYOD but they must do so with their eyes open and not take undue risk with their own information or that of their partners and customers. The key is to follow good information risk management practice .

Article by Paddy Keating ,Director/Government Service Manager at Ascentor.

Other articles you might like:


You may also be interested in:

Building business resilience

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How strong is your business resilience to threats to IT, information and physical security? And how can security standards like ISO 27001 and ISO 22301 help?

Ascentor's cyber security review 2020

Ascentor’s cyber security review of 2020

It was the year a different kind of virus dominated. But that didn’t stop cyber criminals exploiting it. We look back at 2020.

Cyber security myths of SMEs

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals and, in the worst case scenario, may not survive. We look at some of the myths that put SMEs at risk of cyber crime.