Could BYOD Spell Disaster for Government Suppliers?

BYOD (Bring Your Own Device) is coming

The rapid expansion of workers using their own laptops, smart phones and tablets for work purposes, otherwise known as bring your own device (BYOD), may be putting Government contracts at risk. Whilst these companies are well within their rights to accept risks to their own information and services, they are not at liberty to take the same risks with information owned by the Government or services provided to the Government under some form of service level agreement.

Employees are ignoring corporate policy

Even when companies have addressed the BYOD phenomena by putting polices in place about what workers can and cannot do on these devices, the chances are that they are largely ignored.

A recent survey ( Fortinet – June 2012) of nearly 4,000 workers in their twenties revealed that although 42% recognised the risks to data loss and malicious threats, a third of respondents were still willing to bypass corporate security policies and controls and use their devices anyway.

When considered alongside the recent Ascentor survey ( Meet the Information Saboteurs – aka, your employees ) that indicated that more than half of the employees surveyed would deliberately use information to sabotage their employers company, the real risks of BYOD become sharply focussed.

6 steps to manage BYOD information risks

Although all companies should be doing something to address these information risks, those involved in Government contracts need to rely on more than just policies and procedures if they are going to keep their contracts and their reputation intact. They need to ensure that the information is protected so that it is not possible to be remotely accessed by any unauthorised device, no matter who owns it.

Government suppliers need to take steps now to address the risks associated with BYOD:

  1. Produce a BYOD policy that makes it clear that access to Government information or services is not allowed from personally owned devices;
  2. Communicate the policy widely and back it up in training sessions and team management meetings;
  3. Store Government information in trusted environments that have robust technical controls in place to restrict access to only authorised personnel and from authorised devices;
  4. Conduct internal network monitoring to provide assurance that information and services are not being put at risk either from direct access or from malicious threats;
  5. Review the company BYOD policy with the Government authority to ensure that it meets any contract requirements.
  6. Update government risk assessments associated with the provision of a service so that BYOD risks and counter measures are put in place.

Or else…..

Above all, Government suppliers must not ignore the situation. Loss of Government information and/or the interruption to a Government-provided service through a failure to deal with the expansion of BYOD may have serious consequences including:

  • Loss of contract;
  • Damage to reputation;
  • Expulsion from framework agreements;
  • Financial penalties including up to £0.5m from the Information Commissioners Officer for loss of personal data;
  • Potential for legal action.

Next steps

BYOD is not just a fad, it is an inevitability. People are becoming more and more attached to their own individual devices and are far more effective when allowed to work their own way. This is good news for businesses that embrace BYOD but they must do so with their eyes open and not take undue risk with their own information or that of their partners and customers. The key is to follow good information risk management practice .

Article by Paddy Keating ,Director/Government Service Manager at Ascentor.

Other articles you might like:


You may also be interested in:

Work from home cyber security myths

Cyber security myths home workers fall for

Home workers are a growing gateway to your data and systems. If they believe any of these popular cyber security myths, your security is at serious risk.

Cyber security working from home

Managing good cyber security when working from home - what employers need to know

Home working carries increased security risks, but it doesn’t have to be open season for cyber criminals. These tips will help you put together a robust level of cyber security for your home based employees.

Cyber Essentials is changing - our overview

As the IASME Consortium takes over the management of the certification of Cyber Essentials (CE) Scheme, we look at what the changes will involve and why the scheme is still very much needed.