ISO 27001: What is it and why is it so popular?
Being able to use your own device (laptop, smartphone or tablet) at work and being able to connect seamlessly to other devices and the organisation’s network sounds great.
However, Julian Thrussell, Security Specialist at Ultima Risk Management (URM) raises two notes of caution.
Support
A major concern with BYOD is the time and cost of the IT Department supporting a wide range of devices, each of which has its own idiosyncrasies and vulnerabilities. With each new device, there is going to be the problem of bugs and incompatibilities, whereas with old legacy devices, they may not support the latest applications your business wants to use. One cannot overstate the ’economies of scale’ benefits attached to purchasing and supporting a limited number of hardware and software applications.
Security
With BYOD, a major security concern for organisations is the difficulty in controlling the usage of these devices. Corporate policies and processes relating to usage of computers are inevitably a lot harder to apply with BYOD. With the proliferation of devices comes unsupported applications, file sharing, 24/7 social media and huge storage capacity. The more attractive the device and its applications, the greater the likelihood of it being accessed and used at home by family members and friends and also the greater the risk of sensitive corporate data being compromised. A specific and very real threat to all businesses is that the greater the number of devices, the greater the difficulty is in applying anti-virus controls.
Compliance with standards such as ISO 27001 (International Standard for Information Security Management), the Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes Oxley (SOX) is going to be more difficult with BYOD. A key requirement of all these is the need to demonstrate control over the usage of devices. This is going to be more difficult when you don’t own the device. Most devices can be made secure but there is high degree of trust on the users/device owners.
If your company decides to introduce BYOD, Julian Thrussell advises that you think carefully through the implications, revisit your policies and processes and provide staff with training and clear guidelines on what is and isn’t acceptable.
Related Articles
