BYOD is a growing trend across mobile enterprise and a workforce on the go. But IT managers are still getting to grips with how to manage the risks associated with such dynamic working practices.
E RADAR discusses the issues...
BYOD - Bring Your Own Devices concerns the practice of organisations allowing their employees to use their own personal devices such as smart phones and iPads whilst at work. This enables employees to stay in touch with all aspects of their business and personal lives at all times.
The benefits to the organisation are obvious and include less expenditure on the IT estate and better networked communications between teams and customers. But this new business consumer trend also raises some important questions for the board, compliance and risk managers. For example:
- What rights and controls does the organisation have over another's person's device?
- How does the organisation guard against information leaks as well as other legal and regulatory risks?
- What security policies should the organisation have in place?
Now, more than at any other time must organisations consider ring-fencing all important data and information and ensuring that adequate security measures are put in place. Organisations should not panic about this new way of using technology - it is rapidly becoming expected practice. Instead, they should focus on how devices are being used in the workplace, how many are being used in this way, and what is being done to protect the organisation's information and proprietary applications (if any) running over the devices. This new phenomenon is not as much of a new threat if the organisation already has policies and procedures in place to deal with the use of communications at work.
What does BYOD mean?
This article aims to inform IT decision-makers about the challenges facing organisations which allow workers to bring their in own personal devices for business use. The article also serves to restate the legal and regulatory framework around which electronic communications are used in the workplace, including:
- Current business trends;
- Corporate liability (employer and employee relationship);
- Personal liability of directors;
- Misuse of personal devices;
- Monitoring networked communications;
- Workers and personal data;
- Stored network communications;
- Networked communications and evidence;
- Operational implementation of the policy;
- Data and information assurance and security
Current business trends
According to a survey of senior executives and managers in 700 small and medium-sized businesses (SMBs) across France, Germany and the UK the majority of French SMBs are seeing the increasing adoption of personal communications tools for business use across the company. Yet three-quarters have no controls in place to manage the application of such devices on behalf of the business.
The Survey, undertaken by YouGov for the software company CitrixOnline found that:
- More than four in five small businesses say they already allow staff to use personal technology for work purposes;
- 57% of firms admit they have no policies regarding the use of personal technology;
- More than half of companies are not aware of all the devices being used by their staff for business;
- 32% of firms said they were most concerned over the security implications of allowing staff to download documents and applications to personal devices;
- 29% admitted they were worried about letting employees remotely access corporate networks.
Employees being distracted by personal devices is fast becoming a top concern for businesses. The Survey found that more than two in five (21 percent) of UK businesses admitted they feel under more pressure to introduce or increase mobile/flexible working practices compared to five years ago with 30 percent saying internal staff are driving this pressure. Nearly two thirds of staff (64 percent) say they want to improve their work/life balance by reducing their commuting times and 61 percent want to make their lives easier by using the same device for business and personal use.
It is no surprise that there is so much resistance to work-shifting, as managers have to move to evaluating performance on results over time rather than on the basis of physically seeing them working at their desks. The good news is that these devices enable employees to take charge of their time, by self-prioritising in an effective and controlled way.
UK Telecoms Regulator
The opportunity to use personally-owned devices is also increasing according to UK telecoms regulator Ofcom. Surveying 1523 organisations across all sectors using digital communications, the Business Consumer Market Report 2010 revealed:
- 46% companies have staff undertaking duties away from commercial premises;
- 36% of the 46% above work from home;
- Communications services often overlap between personal and business use.
Ofcom found that the use of communications services varies significantly by company size, with 82% using land line and 72% Internet services. 65% use mobile services and only 10% use data services (which include internal networks for storage and transmission of data and services to connected sites). Take up of all communications services, especially mobile services increases significantly with more than 50 employees.
Most organisations now rely on a mix of communications services. 56% companies use smart phones and mobiles to access email and/or the Internet. 89% order goods and services online and 77% have a company website, whilst 38% use remote log in and 36% use FTP sites. The key drivers are: to enhance customer response; profile raising and driving up sales; and to enable greater work flexibility and efficiency. 70% business consumers feel well informed, 60% confident, and 56% engaged with respect to communications services. 41% are risk adverse when considering new communications technology.
When an employer engages an employee, the authority vested in the employer is delegated to the employee in various degrees, depending upon their position in the organisation. The employer becomes liable for the employee's activities whilst acting within their employment. This is known as vicarious liability.
It is possible for the employer to be liable whether employees use the organisation's communications network from the office or from any other location, such as a home computer. Ownership of the actual device used is irrelevant.
The employer must therefore take reasonable care to prevent improper or illegal activities taking place such as having in place policies (e.g. anti-discrimination, privacy and communications) that manage their employees' behaviour.
Employers should also be proactive to protect employees and others from threats when communications network are used such as
- negligence in sending viruses to other businesses;
- and sexual or racial harassment.
Personal liability of directors
A director has a legal duty to a company and some can be found personally liable for failing to undertake duties implied by law. A director's service contract may also require them to provide additional obligations that go beyond the duties set out in law.
Directors cannot avoid dealing with the misuse of the communications network within the organisation.
Role of Governance
Leadership from the boardroom down and across the organisation is fundamental. Until directors and senior managers participate in being educated into concerns relating to the use of networked communications within the organisation, they will fail – and the organisation will fail to address the challenge of managing consumer technologies at work.
Types of Misuse
Failing to control the use of networked communications can be an expensive option.
Email and Instant Messaging
Most organisations now permit employees to send and receive email. If the organisation owns the device and network infrastructure it is easier to manage and control an employee's email traffic than, say, traffic passed over web-based email applications such as Hotmail, Google and Yahoo! Instant messaging (IM) has also become popular in recent years and carries all the liability concerns of email – but in real time!
The challenge is to ensure an appropriate use policy is in place governing staff use of email and IM, and which is tied in to a disciplinary procedure for misuse with the contract of employment.
Where employees are permitted to use the Internet, organisations must have in a place a browsing policy to avoid issues such as developing a hostile working environment, downloading illegal and illicit images, and damage to reputation. For example, in Ms M Morse v Future Reality Limited, the plaintiff was uncomfortable working in an atmosphere where male colleagues spent time viewing and downloading pornographic images in the office. Whilst it is more difficult to view such images over a personal device, nonetheless the risk is present and could lead to organisations facing an employment tribunal if inappropriate behaviour is left unchecked.
Monitoring networked communications
Staff monitoring of email and other communications should only be done as a last resort, and must be carried out according to the Regulation of Investigatory Powers Act 2000 and The Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000.
In the UK, interception of communications is illegal unless done for specific purposes, including the detection of crime and terrorism. Under the Lawful Business Practice Regulations, organisations are allowed to monitor their communications systems and networks for lawful business purposes which they must specify and which can include training, quality control or security. You must inform users that monitoring is taking place. The recent high-profile case of illegal monitoring at the News International has demonstrated the dangers of illegal interception. It is usually intrusive to monitor your workers.
Organisations must do an impact assessment before undertaking any form of monitoring:
- identify clearly the purposes behind monitoring arrangements and the likely benefits;
- identify any likely adverse impact;
- Consider alternatives to monitoring or different ways it can be carried out
- Take into account legal obligations;
- Judge whether monitoring is justified.
Workers have a legitimate expectation that they can keep their private lives private, and are entitles to a degree of privacy whilst at work. Remember that if your communications network captures information about a worker which is private, for example an email exchange with his doctor, your must have appropriate safeguards in place under the Data Protection Act 1998 to stop the information becoming widely known.
Workers and personal data
Breach of data protection laws can now attract fines of up to £0.5 million as well as damage corporate reputation and customer confidence. Who wants an accountant who is looking after your personal financial records and is in breach of data protection!
Employees, customers and suppliers all have a right to have their personal information kept in accordance with the 8 Data Protection Principles set out in the Data Protection Act 1998.
- Security standards should be applied to take into account the risks of authorised access, accidental loss or destruction of personal (and other business critical) information;
- Secure controls should allow workers to access records when they have a legitimate business need to do so;
- The audit trail capabilities of automated systems to track who obtains access to and amends personal data should be used;
- Encryption should be used where appropriate.
The rights of workers are set out in the Information Commissioner's Employment Practices Code and they provide reasonable expectations about how the employer should act in dealing with the employee's personal information. Where a device is owned by the individual worker, it is likely that the employer will capture personal information, probably more so than where the device is company-owned. This capture of personal data must be managed carefully.
— Will Roebuck (@ERADARtweet) June 4, 2013
Stored network communications
The risks attendant upon the failure to provide for the proper retention and disposal of communications can cause added expense to the organisation, perhaps even outweighing any savings from using them. The data retention and disposal policy should be justified and take into account operational needs, is reasonable, measured and appropriate. It is neither practical nor necessary to keep every document created in the course of running the business.
The document retention and disposal policy should reflect the way in which employees create, alter and manipulate electronic documents. Any communication in electronic format is a document and must be retained in accordance with relevant laws and regulations. Most organisations do not have a retention and disposal policy, and do not have an person identified to deal with the issue. IT managers are not responsible for data retention and disposal policies; it is a director's role!
Data retention and disposal policy
The policy must reflect:
- The type of product or service the organisation sells or provides;
- Statutory and regulatory retention periods;
- The fifth Data Protection Principle (Data Protection Act 1998) of not keeping personal information longer than is necessary;
- The Information Commissioner's benchmarks relating to the security of emails;
- How the organisation complies with laws and regulations (and subsequent guides) in relation to good corporate governance;
- The likelihood of legal action being taken;
- Suitable control and archiving of electronic documents, including emails.
Network communications use policy
Policies governing how staff (and contractors/consultants) use electronic communications must be well written in order to be enforced, usually through disciplinary proceedings. The policy should:
- Differentiate between private and company correspondence;
- Control the communication of confidential information;
- Prohibit sending or receiving of unusually large emails and attachments;
- Highlight dangers of propagating computer viruses;
- Prevent use of emails that hinders others using the network;
Networked communications and evidence
Documents in electronic format can be produced as evidence in court, and inadvertent destruction could adversely affect an organisation's legal position. There are two issues with electronic evidence:
- Is the evidence admissible?
- Is it convincing with an accurate account of activity, transaction or decision? This also requires the evidence to be accurate and complete.
Guaranteeing the integrity of electronic evidence requires organisations to consider:
- audit trails;
- robustness of software
- chain of custody (especially for forensic evidence)
- what computer and which people were involved (especially under the Computer Misuse Act 1990)
- Authentication of evidence
Litigation can be expensive, so making sure that these evidential requirements are met is important. Digital evidence requirements re-emphasises the need to ring fence important corporate data and information away from a device owned by a worker.
Operational implementation of the policy
Any policy governing the use of communications (email, Internet and instant messaging) should be tied into the employment contract (or contract of engagement for consultants). This will mean that the employee and employer are contractually bound by the terms of the policy.
Where a policy is not incorporated into a contract, it is considered a management guideline and is not contractually enforceable. Unlike contractual policies, the management guideline can be changed without the consent of employees.
The policy should address the following:
- Distribution of material that is sexual or racial harassment;
- Abuse of a person's right to privacy
- Time wasting;
- Distribution of obscene material;
- Possibility of employees entering contracts unwittingly;
- Leakage of confidential information, trade secrets and intellectual property;
- Introducing viruses and other damaging software:
To enforce a policy, all workers must have received a copy, were made aware of it, understood the effects, made aware of the sanctions and received proper training as to why the policy has been introduced.
The use of own personal devices at work is set to increase and is rapidly becoming a normal business trend. This is a sign of our increasing maturity in understanding how technology can enable the business. Let us remember that the more technology is simple to use, the greater the benefits to the business.
As always, legal and security risks are present when employees use personal devices. The challenge is to ensure that corporate data and information is ring-fenced so that it cannot be held locally on a personal device and cannot be downloaded. Cloud computing is a solution to ensuring that control of data and information remains with the organisation and not the employee. Adequate security measures should be put in place to stop unauthorised access and behaviour through the personal device.
When dealing with worker behaviour, rely upon the policies and procedures concerning the use of communications networks that have been discussed and promoted since organisations started to use email and the Internet. The employer and employee both owe each other specific duties set out in the contract, and this should be enabled by policies and procedures to deal with any fall-out from abuse or misuse of the communications network.