Balancing the risks and opportunities of BYOD (bring your own device) in workplaces

Many businesses have already moved parts of their technology to the cloud or are in the process of doing so and digital transformation is part of many growth strategies.  BYOD is another common way of providing access to business information where employees bring personally owned devices to their workplace, and use those devices to access privileged company information and applications.  Whilst the upside of this is that you can provide access to information such as email for the majority of your employees 24/7 without considerable investment, it can also mean you lose some control of what happens to that data.

Whilst the use of new and emerging technology is often a differentiator in a market and a way to connect with customers, doing so without considering the risks is fraught with danger.  Many organisations will certainly consider the risk to privacy and external risks such as data breaches without considering the malicious insider threat that may exist.

Traditionally when investigating issues such as theft of IP (intellectual property) we relied on traditional forensic processes to identify if information had been sent to an external party or copied from the organisation.  This would include analysis that could:

  • Locate what USB devices had been connected to a computer and what files are located on them;
  • Identify what files and folders a user had been accessing on servers;
  • Determining if a user has used private web based email platforms; and
  • Accessing cloud based file storage platforms such as DropBox.

A new trend we are seeing is the use of privately owned mobile devices using platforms such as WeChat to copy confidential information.  Whilst many of the modern social media platforms have limitations on what you can copy, large amounts of data can be moved quickly and securely with very little evidence of the behaviour being available.  The added complexity of ownership, privacy and encryption that are common on these platforms make detection and investigation much harder.

Even though a business may have technology in place to manage BYO devices we are still seeing information being taken using new Mobile Applications or via standard backup processes available to every mobile device.

It is important businesses remember that unless they have complete control of their data and technology there will always be risks of IP being lost which cannot be mitigated.