End in sight for BYOD?
A cursory reading of today's Telegraph newspaper would suggest that the days of BYOD are over, as the paper reports: “Britain's spies have told businesses to consider stripping employees of company smart phones and memory sticks to protect themselves from cyber-attacks."
In fact the Telegraph appears to have taken the advice issued in the updated ‘10 Steps to Cyber Security' guidance issued by CESG – reported on by SC last November – then extrapolated the advice beyond its logical conclusion - if staff should only use trusted Wi-Fi networks then using public networks can be ruled out, hence no mobiles. However the document also warns firms that staff are the “weakest link in the security chain” – which, if also taken beyond its logical conclusion would suggest complete automation.
What the advice actually says on mobile is more measured, simply pointing out that: it is necessary to protect data at rest by minimising the amount of information stored on a mobile device to only that which is needed and if the device supports it, encrypt the data at rest. When working remotely the connection back to the corporate network will probably use an untrusted public network such as the Internet. Therefore the device and the information exchange should be protected by an appropriately configured Virtual Private Network (VPN). It notes that mobile working attracts significant risks so corporate incident management plans should cover the range of security incidents that could occur, including the loss or compromise of a device in international locations - and removable media are an obvious risk, enabling data to be taken off premises.