Bring Your Own Device

Size: px

Start display at page:

Download "Bring Your Own Device"

Juniper Mitchell Lane
8 years ago
Views:

1 Bring Your Own Device Save costs, deliver flexible working and manage the risks Gary Shipsey Managing Director 25 September 2014

2 Agenda Bring Your Own Device (BYOD) and your charity and how to avoid the pitfalls. Understand the benefits and risks and who is responsible for what. 1 Cash those savings but budget for the costs. 2 3 Different approaches to BYOD 2

3 1. Who are you? 2. Why are you here? 3. What is your understanding of BYOD (if any) at your charity? 4. Devices on the table! 3

4 1 Understand the benefits and risks Why? 4

5 Benefits Hardware costs Maintenance costs Productivity Efficiency It is happening anyway?? 5

6 Risks Theft Loss Unauthorised access 6

7 Risks If the device Stores Your data. Theft Loss Unauthorised access They have the data You don t 7

8 Risks If the device Connects to your Your network enables remote access to your Your software or systems Theft Loss Unauthorised access Theyy can try and access or copy your information 8 They can introduce a virus A family member many unwittingly access info.

9 Risks If the device AND another company Stores Your Your @Btinternet.com 9 The data is outside your Your managed (secure) environment

10 Risks The employee / volunteer owns, maintains and supports the device You will have significantly less control over the device 10

11 Risks You remain responsible for the data on their device regardless of the ownership of the device used for the activity 11

12 Aberdeen City Council Authorised Work from home + access highly personal, sensitive and confidential information about children, their family and involvement with Social Services. Own (2 nd hand) PC + File transfer programme installed + Autosaved files to My Documents 12 = = uploaded the entirety of [the] My Documents file onto the internet. accessible to all internet users by inputting specific search terms such as the names of attendees at the meeting. Minutes of a core group meeting held about the child, A Looked After & Adopted Children Review minute The child s plan.

13 Aberdeen City Council Policy impractical and ambiguous did not supply the necessary technical measures required to safeguard personal data accessed by the employee working at home. Reputational damage A national newspaper was tipped off about the incident. They located the data online and published a story (albeit without identifying any of the individuals affected). Fine 100,000 13

14 k Requirements Expectations and Awareness Regulator(s) Public Media 14

15 5,641,000 Total fines since Undertakings issues CEO s named and shamed 112,820 Average fine 15

16 270,000 Highly sensitive info. four children left outside a home by a social worker Sought advice on abortion, pregnancy & contraception approx. 9,900 people exposed after a hack Folder left in a café. 6 Loss of three service users files during an office move. Thefts of an unencrypted laptops. Two unencrypted memory sticks and papers (personal details of up to 101 individuals) stolen from an employee s home. 16

17 17

18 2 Cash those savings, yes but budget for some costs? 18

19 Benefits Hardware costs costs Maintenance costs costs Productivity Productivity Efficiency Efficiency Software cost Policy Oversight 19

20 Risks You must ensure appropriate technical + appropriate organisational unauthorised or unlawful processing accidental loss accidental destruction damage to 20

21 Risks You must consider the state of technological development the cost of implementing any measures must implement measures that ensure a level of security appropriate to 1 the harm that might result from a breach, and 2 the nature of the data to be protected 21

22 Risks You can have a risk-based approach deploy greater protection to the more sensitive personal information. 22

23 Risks You remain responsible for the data on their device regardless of the ownership of the device used for the activity 23

24 So how will You 1. Ensure they install the latest patches and security updates? 2. Control which software and applications they install? 3. Ensure they use encryption? 4. Ensure they use passwords / pins? 24

25 and how will You ensure: a) Backup of data? b) Appropriate retention? c) Accuracy of information? d) Subject Access Requests? e) Use of the device for non-business purposes? 25

26 3 Different approaches to BYOD Cash those savings, yes but budget for some costs. 26

27 Policy Decisions 1. Will you permit remote access (or not)? Which staff need to work remotely. Which staff are allowed work remotely. Which personal information can be accessed remotely. Deploy greater protection for the more sensitive personal data. 27

28 Policy Decisions 2. Will you permit staff to use their own devices (or not)? Which staff are allowed to use their own devices. Which staff must use your devices. What measures will you require staff to follow. Deploy greater protection for the more sensitive personal data. 28

29 Say NO to BYOD A Provide Your devices for remote working Provide sufficient protection, e.g.: 1. Appropriate ICT to the staff that need it 2. Ensure sufficient encryption and access control 3. Ensure sufficient training so staff know how to use the equipment and 29 recognise why there are controls & procedures in place

30 Say NO to BYOD A Provide Your devices for remote working Expect them to work remotely but haven t given them sufficient tools? Is what you have provided fit for purpose? 30

31 B BYOD Say YES to BYOD to access personal information Measures to be taken: 1. Support / permit only certain devices, programs and apps that meet your requirements If possible, exploit existing systems and tools, e.g. Citrix; VPN. 2. Anti-virus software 3. Remote wipe function 4. Encryption of device 31

32 B BYOD Say YES to BYOD to access personal information Measures to be taken: 5. Access Control 6. Password Policy 7. Backup Cloud-based (automatic) or via policy. 32

33 C BYOD Say YES to BYOD to access sensitive personal information Additional measures to be taken: 8. Deploy a sandbox i.e. technical measure to separate running programs into a tightly controlled environment. 9. Monitor (and audit) data movement. 33

34 1. Will you permit remote access (or not)? 2. Will you permit staff to use their own devices (or not)? A Provide Your devices for remote working B C BYOD BYOD to access personal information to access sensitive personal information 34

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader AGENDA ITEM: SUMMARY Report for: Committee Date of meeting: 30 May 2012 PART: 1 If Part II, reason: Title of report: Contact: Purpose of report: Recommendations Corporate objectives: Implications: INFORMATION