Bring out the best

The term ‘BYOD’ (bring your own device) has been around since at least 2009. Initially credited to Intel, it describes the policy of letting employees access their company’s network using their own personal devices. Since then, the dilemma for many law firms has been whether to adopt this policy or not.

Before you read on, you may have already decided BYOD is not for you. However, ask yourself the following.

• How are you managing your risks related to personal devices in the workplace?
• Do you know who is already using a personal device to process company data?
• Regardless of ownership, how are your mobile devices managed?

Employees often use their own devices at work, whether it’s part of a business strategy or not. This means that BYOD ‘by stealth’ is probably already happening in your firm, so you need to manage the risks whether you decide to implement a formal BYOD policy or not.

In this article, I look at the pros and cons of BYOD, how to manage it effectively, and some alternative approaches if you decide BYOD isn’t for you.

How does BYOD work?

BYOD doesn’t have to be all or nothing. There are different ways to implement it, including:

• as a replacement – allowing personal devices to be used instead of those provided by the firm
• to complement – allowing employees to use personal devices alongside those provided by the firm
• in addition to – allowing employees who don’t normally have firm-provided devices to use their own devices.

You can use BYOD to give employees access to specific systems and in specific ways, for instance:

• to access email only
• to view, or both view and update your customer relationship management or matter management system
• to access legal documents in court.

Each approach brings its own benefits and carries its own risks.

The advantages of BYOD

The benefits include:

• increased productivity – through more efficient working hours, possibly longer working hours, or providing access to systems that employees wouldn’t normally be able to access remotely
• cost savings – employees buy their own devices and often support them, reducing IT purchase and running costs
• increased employee satisfaction – employees can use equipment they are familiar with and that suits them, and use their favourite apps, because the device isn’t constrained by corporate policies
• improved customer service – your employees will have their personal device with them 24/7, so customers may get quicker responses (although work-life balance should be considered carefully)
• flexibility – onboarding of new starters and temporary workers will be quicker, and resistance to change during mergers and acquisitions will reduce, because new employees will not have to adopt a new company standard for equipment
• business continuity – BYOD allows users to access mobile applications remotely from a range of devices, so they can continue to work remotely if there are problems with the company’s infrastructure or premises.

The risks of BYOD

Potential disadvantages may include:

• loss of data – if your employees are transferring data to their own device, or to cloud storage which is accessible from their device, data could be lost if you don’t control it
• malware infection – devices without antivirus software may become infected, leading to loss of data or of confidentiality, or an infected device could pass this infection to the company network, creating a bigger problem
• confidentiality – personal devices may be accessed by children and partners more often than corporate ones, increasing the chances of confidential information being accessed and shared
• reputational damage – the above risks could lead to leaking of customer or business partner data, which could mean you fall foul of the General Data Protection Regulation (GDPR), and/or incur costly damage to your company’s reputation
• liability – it may not be clear who replaces a broken, lost or stolen device while it is being used for company business
• increased costs – while your hardware costs may decrease, your support costs may increase.

How to mitigate the risks

The risks outlined above may seem insurmountable, but the benefits can certainly be realised through thoughtful management and planning.

Below, I look at two of the key areas of risk management around BYOD.

Plan for security incidents

It’s not uncommon for mobile devices to be lost or stolen. The important thing is that you have a plan for these events. Rehearse your procedures to ensure they work in practice.

1. Be clear about who employees should contact when an incident occurs.
2. Respond quickly to minimise data loss: revoke access to business systems to reduce the chances of a wider network compromise, and consider whether you need to remotely wipe business data on the device.
3. Identify who will replace the lost or stolen device. Consider the timing of this: is it urgent, as any delay could have an impact on the employee’s productivity?
4. Document lessons learned after the incident has been dealt with.

Invest in software solutions

Mobile device management (MDM) and mobile application management (MAM) have been specifically developed to protect devices that don’t physically connect to the network.

MDM protects the device. Typically, it’s a combination of software installed on devices and configurations policies installed from the servers they connect to. MDM policies might, for instance:

• require devices to have a PIN or password to access them
• enable tracking, for remote data wipe and remote location
• ensure that core software is installed, such as antivirus and encryption
• install new, or remove old, software remotely
• centrally audit which devices have access to the network, so you can enable or prevent access centrally.

MAM controls access to mobile applications, usually at a more granular level than MDM. For instance, it might:

• restrict screen shots
• restrict copying and pasting of information from one application to another
• control sharing between applications
• prevent use of cloud storage
• require individual PINs for applications
• wipe application data, while leaving personal data intact.

Most MDM and MAM solutions also provide “container applications”, where specific applications, such as email, operate independently of the device or of other applications. Containers thereby separate personal and organisational data. Using containers may seem like a worse user experience – for example, they may need to use two email applications, rather than having a single inbox. However, containers make it much easier for a business to remotely wipe its data from a personal device while retaining personal data.

A combination of MDM and MAM software, coupled with robust policies, processes and procedures will reduce or mitigate most of the risks I have mentioned – or any you identify.

Good practices for BYOD

1. Document your objectives for BYOD, using plain English so those involved in implementing, supporting and using BYOD understand the aims of the programme.
2. Develop a BYOD policy, outlining organisational and employee responsibilities. It should:
   • define employee eligibility (that is, which roles are eligible for BYOD)
   • set rules for password length and complexity, and PIN requirements for devices
   • require users to use two-factor authentication (2fa), where applicable
   • detail what types of device (for example, make and model) are allowed on the network
   • list allowed and banned applications
   • outline minimum device requirements, such as software versions or antivirus protection
   • include incident-reporting guidelines (what to do if the device is lost or stolen)
   • detail any funding or reimbursement expectations
   • include device policies you will enforce, such as prevention of copying and pasting between apps
   • outline acceptable usage guidelines (or point to them in your general network acceptable usage policy)
   • explain the employees’ responsibilities when it comes to the protection and privacy of customer and business data (or point to them in your general data protection policy).
3. Take an inventory of your data sources. Identify the data that is sensitive, and where and how it’s stored. (You may have done this already, in preparation for GDPR.)
4. Do a risk assessment. Your risks may be one, all or none of those mentioned above. The risks will depend on what you allow your employees to access.
5. Document the support model: who is responsible for the upkeep and maintenance of the device, and what happens if, for instance, a screen gets broken or software needs to be updated.
6. Document the procedure for leavers. What happens when an employee leaves, taking their own device with them? How is access revoked? What happens to that person’s telephone number when they move on?
7. Develop and implement a training plan to cover the following:
   •  security awareness and good practice
   • how to enrol for BYOD
   • your firm’s acceptable use policy
   • financial arrangements
   • security protocols
   • how support is provided
   • legal and privacy issues
   • how to report a security incident.

What are the alternatives to BYOD?

If BYOD isn’t for you, there are other options for providing choice, flexibility and a balance of control.

The zero-trust model

This means that you don’t trust any device that accesses the network. This can be achieved by using applications that only store their data in the cloud. For instance, the LEAP Legal App provides mobile access to data seamlessly, while still retaining central control of data and access security. If a device is lost or stolen, no data is stored on the device, and access can be revoked.

Choose your own device

This can provide flexibility and choice for employees, while limiting risk. Employees select from a list of approved devices, which are purchased and controlled centrally. This gives many of the benefits of BYOD without the same levels of risk.

Dual SIM devices

Some models of phone allow dual SIMs, so employees can have a work number and a personal number. This allows the firm to separate usage and control, and gives employees increased flexibility. However, as this means personal and work accounts are on a single device, this would still require remote management and secure configuration to maintain security.

Conclusion

There is no doubt that mobile devices will enhance the competitive advantage of any company. With BYOD here to stay – and BYOD ‘by stealth’ happening all the time – all organisations should have a plan to manage the potential risks and realise the benefits. Failure to deal with the risks could result in data breaches and potentially huge fines. Missing out on the benefits puts you behind your competitors. Have a plan.