Discuss about the Bring Your Own Device Organizational.
BYOD is a new technological policy or strategy used by companies to allow their employees to bring their own devices to the workplace and access privileged information or applications. Moreover, BYOD is also known by other names such as Bring Your Own Technology, Bring Your Own Phone (BYOP) and even Bring Your Own Personal Computer (BYOPC). In essence, the name signifies the device incorporated by any given organisation and with the current trends and advancements in technology have seen billions of devices in use, this technology is surely set to rise. Nevertheless, in the definition one is a key item, policy, is very important to its definition. Policy signifies the mandate, authority and even authentication accorded to these individually owned devices (Millman, 2013). As an Information and Technology concept, BYOD is used as a consumerization technology, where resources are used to access certain services. Furthermore, similar strategies are used by other organisations to lower operation costs, for instance in schools where students are allowed to use their own devices to access class material.
Aztec management has seen a substantial increase in customer demands which has increased the number of employees. Acquiring new resources such computers, tablet and mobile devices etc. could prove costly. However, allowing each employee to bring their own device to the workplace and use it to perform their roles is financially sound. In fact, consider the following, according to current estimates, the number of mobile devices in the world over the next five years will be more than 10 billion. These numbers translate to 1.5 devices for every man, woman and child across the planet (ER, 2013). So, why not take advantage of these readily available devices to supplement a company’s resources, it’s financially sound and meet the objectives set.
In addition to this, people are increasingly using their devices to perform a basic task which has greatly embedded mobile devices into all aspects of life. Similarly, employees are preferring to use their own devices to perform workplace-related tasks, where they want to synchronise their routines into one ‘big’ device. This phenomenon is becoming increasingly common that most employees in big corporations are requesting the IT departments to incorporate them (ER, 2013). Now, consider the advantages of this, employees are continuously motivated when they feel included into company’s policies. In return, they perform well and maintain high standards of professionalism. However, employers such as Aztec must realise that it’s hard to separate personal roles and workplace agendas, therefore measures must be put in place to cater for these requirements (CIO Council, 2012).
According to Wainwright (2016), BYOD increases worker satisfaction as the employees are no longer stuck with the old or boring IT issued devices. They are free to use their devices which are up to date (which also is another merit) and can modify them at will. Secondly, it saves money while increasing productivity. Thirdly, all the devices used are up to date and meet company’s objectives at no extra cost. Finally, BYOD encourages after hours work engagement. An employee is likely to answer a query from a customer if he or she use her own personal device as they feel free and in charge of the entire process (Willis, 2013).
Employees using their own devices to access workplace networks is an inevitable phenomenon in any industry, however, this technology brings with it a lot of compliance concerns (Computer weekly, 2016). The financial sector is a critical industry where data stored by its institution is highly delicate and requires the highest form of security. One of BYOD industrial regulation policy concerns the loss of data if a device is lost. BYOD policies call for stringent scrutinization of mobile devices for companies in the financial and health sector. However, according to Littler Medelson (employment lawyer) the shift of IT policies from corporate-owned to personal/employee owned policies clashes with most important government policies. For proper and adequate scrutinization, a person’s private data must be accessed, this goes against all laws of privacy and personal security concerns. Nevertheless, a company like Aztec must employ careful assessment measure within the Australian laws to meet the basic BYOD data policies (Hanover, 2012).
Aztec can also develop its own private security measures to meet the demands of their operation. Since traditional security compliances fail to meet the demands of BYOD, the conventional way to fulfil this mandate is to use Mobile Device Management (MDM) software or policies. However, even this consideration can fail if the devices are ‘jailbroken’, but MDM can detect the process, therefore promote a solution. Furthermore, for a financial institution they must comply with the Payment Card Industry-Data Security Standard (PCI-DSS). This includes protecting customer’s data and that of the company. To meet this requirement, the following items must be met, otherwise referred to BYOD best practices.
Protect customer’s data especially their cardholder information, this objective can only be met through encryption of transmitted data. Moreover, transferring cardholder information to BYOD violates all PCI-DSS laws, therefore this process should be prohibited and considered a violation. BYOD devices should never download card holder’s information, this is the single most important BYOD best practice.
Secondly, Aztec should implement strong access procedures to any of its databases or systems. All mobile devices used should have strong passwords only known to the users. Furthermore, restrict access to company’s information via a business need to know basis, this will act as an additional security measure to card access restriction.
Thirdly, monitor all employees’ activities by tracking their network access routines. Moreover, accurate and auditable logs should be maintained, this records can then be used to search for cardholder’s information or violations.
In addition to this, the company should maintain an active and strong information security policy. For these policies to work, employees must be educated on the security measures such as reporting lost devices
Finally, when all is said and done respect the employee’s privacy. Regardless of the security measures, if the employees feel compromised they will communicate through different channels which will compromise the entire system.
BYOD regulation compliance is important and must be considered at all cost, this includes basic item not mentioned such maintaining an active antivirus software in the devices used, use of automatic device locks and individual user authentication. These simple yet strong security measures can be the crucial security guard against malicious individual with the intentions of harming a company’s reputation or data (Winn, 2015).
A financial institution/company like Aztec must have the strongest and most recent IT security measures. For one, any data transmitted by its system concerns customers and their finances or is the actual finances themselves. Therefore, an unauthorised access to this information could prove detrimental to the company’s reputation, especially its service delivery charter. BYOD proposes several changes to access policies that largely affects the current Aztec security policies. When implemented Aztec will have to reconsiders its IT policies, modifying them to meet the new demand brought by BYOD. For one, the full control exhibited by Aztec over the devices used by employees will be lost. Now, the employees will expect to have their own devices and also have increased freedom to do their work wherever and whenever (Pearson, 2014).
Furthermore, the current trends in technology have led to the rapid diversification as well as changes seen in different business sectors. Today, employees are required to be more flexible to meet their mandated tasks. Moreover, their productivity is also determined by how they associate with their employers and this has led many of the employers to implement strategies that improve their mutual association. BYOD meets most of these strategies by offering lay way between personal life and work agendas. In addition to this, it bridges the gap between employers and employees who now have a better professional association. However, BYOD as seen above completely changes a company’s operation structure.
First, consider the impact it will have on application and more so the usage of these applications, both personal and professional (work-related) applications. It is difficult to manage the applications accessed by an individual using his/her own device, not unless his accessing them using the organisation’s network. In such a scenario, the user is likely to access malicious websites and applications that later affect the organisation’s system or applications (Subhani, 2016). This unregulated access is a strong security threat to a company’s data more so, an institution in the financial sector. Data is the single most important commodity in the modern society, in fact, its access, use and interpretation are used to run all modern day organisations. An Aztec employee could download a malicious application which later is able to download customer’s information, a major security violation.
Secondly, we have lost or stolen mobile devices. It is common for a person to lose their device and has little concern over the item. The lack of concern may be due to the information stored or more precisely lack of information. However, for an Aztec employee who regularly accesses the company’s system using his device, a loss of this device could stand the risk of unauthorised access if not well protected. Furthermore, consider a lost device used by an unauthorised individual to access a company’s information. Aztec’s security measures would have to change to incorporate these new possibilities, where a person potentially loses a device. Automatic countermeasures such as automatic locks, access locks and data encryption among others would have to be considered (Garba, Armarego & Murray, 2015).
These vulnerabilities are just but a few of the many concerns that are presented by BYOD which means a company implementing the concept must adapt to fulfil all the necessary security and company policies. To reduce legal liabilities among other risks a company must analyse their existing security policies to determine how they affect employees who will use their own devices. Some of the policies to be considered include; data classification policies, mobile device access policies, encryption policies and privacy policies among many others. This process may cost time and money but are critical for the success of the new strategy. Moreover, remember there is a big difference between company-owned devices and personal/employee owned devices. It is possible to implement security measure to protect the data accessed by each one of these devices, but the procedures employed must be different for them to work effectively. For instance, Aztec may have to introduce special software that is used by employee’s devices to access a company’s information. Such Softwares are used to provide additional security to the mobile devices (InfoLawGroup LLP, 2012).
Another impact of BYOD on Aztec security measures or procedures is the alteration in employee’s privacy requirements in order to fit the new technology. When commissioned the devices used to access personal information will also be used to access a company’s information. A number of violations may be made while conducting business or personal business, for instance, consider police officers in the U.S. who were accused of using work devices to text their loved ones (ILG post, 2012). Similarly Aztec will have to consider such scenarios where an employee intentionally or unintentionally violets either professional or personal codes of conduct. Privacy and BYOD depend on how an organisation monitors its employees, it’s common for an organisation to track employee’s activities while using the company’s network. These procedures are made possible by the devices issued (company devices) and the access control measures in place. However, how do you accomplish the same without having your own devices as a company and without infringing on the personal privacy rights of your employees? Possible solutions may lie in authentication, authorization and with the use of special software used to access a company’s information. These Softwares can then be monitored to track employee’s activities.
Finally, consider the statistics provided by Trend Micro in 2012, where more than 93 percent of all BYOD devices (tablets, mobile phones, computers etc.) used to access corporate information lack the necessary security systems. This data shows the control offered by BYOD, it does not only reduce an organisational control but also makes it difficult to enforce policies and regulations. Moreover, according to Goode (2012) attackers continuously exploit the vulnerabilities seen in BYOD devices to access organisation information. These exploitations are possible because our current security systems lack the necessary tools to deal with the current trends in technology. Traditional security methods such as host-based firewalls and even the famous content based firewalls cannot meet the demands or threat of mobile based devices. However, organisations cannot prohibit BYOD technologies or concepts because of the threats, instead, they must implement top-notch security measures while maintaining a high priority on privacy and access control.
BYOD presents many advantages over the existing ICT technologies but like any other technologies these merits are also accompanied by several limitation or risks that may reduce the efficiency of the said technology. In the previous section, we did highlight the impact of BYOD on an organisation and more particularly Aztec. In doing so, we did mention some threats of BYOD e.g. malware attacks, loss of data and an unauthorised access. In this section, these threats among others are analysed and in addition to this, we also outline the vulnerabilities and consequences of using BYOD.
Social engineering and phishing attempts are a common risk associated with BYOD. Attackers use clever deceptions to acquire private information from unsuspecting individuals e.g. through emails where people are prompted to enter their details. BYOD poses a serious threat to this form of attack as the employees using their own device will access different websites and applications that are not monitored (Dodge, 2007). Aztec may have the necessary precaution to prevent access to a malicious website but may lack the same control when the user device are connected to other networks. In effect, a company’s data may be at risk when the affected device is reconnected to the company’s network. Similar to phishing, Malwares are becoming predominantly familiar because of mobile devices. Malware target user’s information or damage the user’s device. Mobile devices such as those used in BYOD are routinely infected with malware such as viruses, worms, botnet and Trojans because they have basic security measures. In addition to this, users are continuously promoted to install applications that later infect their devices. This malware can command and communicate with an unauthorised user while avoiding a company’s IT security measures.
Interception of data is another threat posed by BYOD more so spoofing where data is intercepted and modified. Aztec in its daily activities transmits a lot of information via their encrypted channels be it VPNs or otherwise. A mobile device with its limited access control protocols is likely to be spoofed and information sent to the wrong recipient. Furthermore, the same devices can be used to create rogue access points that have limited access control protocols. A company’s network even with its encryptions can be compromised if someone gains access to their system or even access to a device physically connected to its VPN networks. However, interruption of data is more profound in wireless access networks. Fraudulent access points encourage a user to connect their devices which later are used to exploit them. Moreover, secure access point protocols are now affected as fraudsters has found a way to compromise them e.g. Hole 196, a vulnerability identified in WPA2, the most common WI-FI security protocol (AirTight Networks, 2010).
Company policies that target the employee’s activities are another serious vulnerability issue that can have grave consequences. A BYOD device can be easily accessed using its vulnerabilities when a user violets any of the set policies and rules. In fact, an employee may lack malicious intentions but owing to their ignorance or carelessness expose a company’s data where an attacker capitalises to access the information. An attacker may promote an Aztec BYOD device to disable its firewall or setting in order to have improved speeds and performance rates. An unsuspecting user, tired of the speeds (due to access control e.g. proxy use) will disable said firewalls to have improved speeds, as a result, the attacker will have a way into the company’s systems. A good example is this is the Citigroup financial company attack where data from thousands of customers was leaked because an employee used a simple peer to peer software found in BYOD devices (Masin, 2013).
Many factors may increase the occurrence of BYOD risk as seen in the risk assessment done above. Allowing corporate or company information to coexist with personal information is one of these factors. It becomes difficult to maintain a strong corporate structure filled with strong security controls while maintaining user privacy requirements. Furthermore, when the devices used are personal devices, the control procedures become contentious, to say the least. A company may struggle to balance corporate and personal life, which is then exploited (vulnerability) and used to access vital customer information. Grave consequences may follow for instance leakage of information as seen in the example given above (Gajar, Ghosh & Rai, 2013).
IT departments find it difficult to support users using different devices using different systems. One user may use a windows device while the other an IOS device, moreover, the problem is made more difficult because of the constant updates given and the different operating versions produced each day. In such a case, an administrator may apply certain access control procedures that work differently in different systems. The consequence of this is an inefficient control procedure filled with bugs and constant failures. These failures can slow a company’s system, slowing their service delivery mechanisms (Rose, 2013).
BYOD risk comes with many serious consequences, in fact, according to the Industrial report (French, Guo & Shim, 2014), more than 60 percent of modern day companies risk the consequences of BYOD risks. To start, confidential data stored in e-mails, spreadsheets, applications and user’s accounts can be easily lost if a device is lost or stolen. Furthermore, according to the same report almost half of the companies allowing BYOD concepts have experienced a breach in their systems. On top of losing their data, these breaches violet may compliance policies and laws, making the companies liable for legal suites. Finally, like the two sides of a coin, BYOD may have a good balance between work-life activities however, some people develop serious work related issues where they work all the time. Such people have difficulties in maintaining serious relationships as they bring their work to all personal activities, even on leisure holidays. As a result, they develop severe work-life conflicts that develop into stress, eventually slowing their work productivity (Singh, 2012).
Data security is the chief concern of BYOD technology as its access (data) can prove detrimental if wrongly accessed. In Aztec case, one type of data should never be used in BYOD devices i.e. confidential cardholder information. Before addressing the types of data to be used by BYOD, this exception must be made. Customers rely on confidentiality to protect their assets and with BYOD devices, this confidentiality is at risk. However, the company’s employees could use messaging services where e-mails and other relevant data is involved. Moreover, control information would also have to be used to regulate the flow of information. In essence, the users would have to comply with the company’s data protection policies and obligations.
Access to information, on the other hand, would be restricted based on authorization provided. Certain staff members would have increased access than other just like in any other control features. Furthermore, access would be limited to departments or faculty departments. These segmentation mechanisms would help monitor the BYOD system and ascertain for security. Moreover, it’s advisable to have special Softwares or applications to be used to access a company’s information. For instance, consider an accounting department where a special application Aztec_accounts is used to access its databases. This system would be closely monitored irrespective of the device used to access it. In terms of data flow, all relevant company information would have to flow via encrypted channels, for instance, VPNs. Virtual Private Networks (VPN) are a secure way of accessing an organisation information via the internet (Ogie, 2016).
For Aztec to meet the minimal data security requirements, they must encrypt all the data they use irrespective of the source, destination and channel used. In addition to this, a good BYOD policy must be set and it must include MDM concepts. These concepts allow IT professionals to have the capability to access any device that is able to access a company’s information. This IT access can help a company revoke access to sensitive information and even wipe out an entire device in case it’s lost by the owner. In addition to VPNs stated above, data flow should be restricted to specific data identifiers, for instance, certain mac-addresses. Furthermore, the company should establish multiple authentication procedures for devices accessing company information. This strict authentication procedure can be accomplished using an Identity Access Management (IAM) solution. IAM is a solution that allows an organisation to have a two-factor authentication procedure, therefore, for a person to access data multiple authentication procedures are requested. This procedure is vital as they ascertain to the authenticity of the user i.e. device does not fall into the wrong hands with the correct password or access (Smith, 2016).
Finally, all relevant company information should be stored in a centralised location with access limited to the appropriate members. A central server is easy to monitor, including the data flow associated with it. Furthermore, centralised server can monitor daily activities and have logs detailing those who access them with their respective access time. Nevertheless, a centralised server should then be supplemented with secure transport encryption that is not easily intercepted. Strong transport encryption mechanisms do exist as they are commonly used by many collaboration platforms e.g. Skype and iMessenger. These transport encryption mechanism should be used by the company as a way of regulating data flow (Ogie, 2016).
References
Abubakar Bello Garba, Jocelyn Armarego & David Murray. (2015). Bring your own device organizational information security privacy. ARPN Journal of Engineering and Applied Sciences. 10 (3). Retrieved 10 January, 2017, from: https://www.arpnjournals.com/jeas/research_papers/rp_2015/jeas_0215_1591.pdf
AirTight Networks. (2010). WPA2 Hole 196 Vulnerability. Retrieved 10 January, 2017, from: www.airtightnetworks.com/WPA2-Hole196
Bitglass. (2013).PCI Data Security Compliance & BYOD. Retrieved 10 January, 2017, from: https://cdn2.hubspot.net/hub/313952/file-704205437-pdf/Collateral/PCI-DSS-BYOD.pdf?t=1398711559627
CIO council. (2012). Bring your own device. A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs. Retrieved 10 January, 2017, from: https://cio.gov/wp-content/uploads/downloads/2012/09/byod-toolkit.pdf
(2013). Insights on governance, risk and compliance. Bring your own device. Retrieved 10 January, 2017, from: https://www.ey.com/Publication/vwLUAssets/EY_-_Bring_your_own_device:_mobile_security_and_risk/$FILE/Bring_your_own_device.pdf
Goode, A. (2010). Managing mobile security: How are we doing? Network Security, 2010(2), 12-15. doi: https://dx.doi.org/10.1016/S1353-4858(10)70025-8.
Hanover Research. (2012).Regulatory Considerations for BYOD Policies. Retrieved 10 January, 2017, from: https://www.attachmate.com/solutions/in-response-to-your-mobility-demands/MobileDeviceManagement/RegulatoryConsiderationsforBYODPolicies.pdf
InfoLawGroup LLP. (2012). The Security, Privacy and Legal Implications of BYOD (Bring Your Own Device). Information Law group. Retrieved 10 January, 2017, from: https://www.infolawgroup.com/2012/03/articles/byod/the-security-privacy-and-legal-implications-of-byod-bring-your-own-device/
Masin, J. (2013). Peer-To-Peer (P2P) File Sharing Risks. Retrieved 10 January, 2017, from: https://www.securedocs.com/blog/2013/02/peer-to-peer-p2p-file-sharing-risks/
Singh. (2012). B.Y.O.D. genie is out of the bottle Devil Or Angel. J. Business Manage. Social Sci. Res.1 (3), pp. 1–12, 2012.
Ogie Robert. (2016). bring your own device: an overview of risk assessment. Faculty of engineering and information science. University of Wollongong. Retrieved 10 January, 2017, from: https://ro.uow.edu.au/cgi/viewcontent.cgi?article=6446&context=eispapers
K. Gajar, A. Ghosh, & S. Rai. (2013). bring your own device (byod): Security risks and mitigating strategies. Journal of Global Res. Comput. Sci. 4(4), pp. 62–70
Pearson A. (2014). The Impact of BYOD on Organisation Security. Security innovation Europe. Retrieved 10 January, 2017, from: https://www.securityinnovationeurope.com/blog/the-impact-of-byod-on-organisation-security
Rene Millman. (2013). Surge in BYOD sees 7/10 employees using their own devices. ITPro.
Smith Tom. (2016). BYOD Security: Expert Tips on Policy, Mitigating Risks, & Preventing a Breach. Digital guardian. Retrieved 10 January, 2017, from: https://digitalguardian.com/blog/byod-security-expert-tips-policy-mitigating-risks-preventing-breach
Wainwright A. (2016). 7 benefits of BYOD on enterprise wireless networks. Securedge networks. Retrieved 10 January, 2017, from: https://www.securedgenetworks.com/blog/7-Benefits-of-BYOD-on-Enterprise-Wireless-Networks
Willis D. A. (2013). Bring Your Own Device: The Facts and the Future. Gartner. Retrieved 10 January, 2017, from: https://l1.osdimg.com/remote-support/dam/pdf/en/bring-your-own-device-the-facts-and-the-future.pdf
Winn A. (2015). How Regulated Industries Can Successfully Use BYOD. OPSAWT. Retrieved 10 January, 2017, from: https://www.opswat.com/blog/regulated-industries-can-use-byod
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download