Six Steps to Manage the BYOD Information Risk

BYOD and information security The world of technology is moving fast. In this era of consumerisation, BYOD (Bring Your Own Device) is here and it is here to stay. The rapid expansion of workers using their own laptops, smart phones and tablets for work purposes is not a fad. People are becoming more and more attached to their own individual devices.

This can be good news for businesses but those embracing BYOD must do so with their eyes open and not take undue risk with their own information or that of their partners and customers.

To BYOD or not to BYOD, you might ask? Do the risks outweigh the benefits?

Can you hold back the tide?

“A third of Gen Y would ignore a policy banning BYOD” Fortinet, June 2012

Even when companies have addressed the BYOD phenomena by putting polices in place about what workers can and cannot do on these devices, the chances are that they are largely ignored.

A survey ( Fortinet– June 2012 ) of nearly 4,000 workers in their twenties revealed that although 42% recognised the risks to data loss and malicious threats, a third of respondents were still willing to bypass corporate security policies and controls and use their devices anyway.

When considered alongside the recent Ascentor survey ( Meet the Information Saboteurs – aka, your employees ) that indicated that more than half of the employees surveyed would deliberately use information to sabotage their employers company, the real risks of BYOD come into sharper focus.

6 steps to manage BYOD information risks

You can and should embrace BYOD as long as you take steps to manage the associated risks. Here is how.

  1. Produce a BYOD policy that defines policies, processes and procedures to protect intellectual property and sensitive information. The policy must support the business and must make sense.
  2. Communicate the policy widely and back it up in training sessions and team management meetings. Set expectations so everybody knows what will happen if a device is stolen or lost. Every user must know the backup approach, the retention policies, the wipe-out capabilities, etc.
  3. Assign roles in the organisation for people who are responsible for the use of BYOD: Data owners and business unit managers; IT support staff.
  4. Know where the data is stored, how it is transferred and to whom . Perform regular audits to understand how the information is being used. Use Isaca’s BYOD audit programme, available here .
  5. Control and secure the devices. Include the devices within the corporate asset management programme so that they can be patched and supported to reduce potential vulnerabilities.

BYOD, like any other form of using data, is a business, not a security problem. Involve operational managers, human resources and IT departments so that, together, you can find the right balance for the BYOD challenge.

What now?

People are becoming more and more attached to their own individual devices and are more effective when allowed to work their own way. You will not stop the tide. It is possible to embrace BYOD and manage the risk. The key is to follow good information risk management practice .


Article by Steve Maddison , Director and Principal Consultant at Ascentor.

Further reading: