The EU General Data Protection Regulation comes into effect next year and organisations that aren't prepared will risk a substantial fine if they suffer a data breach. While it's absolutely correct that organisations need to prepare for this regulation and that data security needs to get on to the boardroom agenda, there is an equal risk of organisations simply locking everything down and causing a reduction in productivity as a result. A recent report suggesting that UK councils don't have a BYOD strategy sparked this concern for me.
BYOD is now the expected norm for many employees so organisations need to consider this in terms of attracting and keeping top talent. Meanwhile, not having a BYOD policy doesn't necessarily stop people bringing personal devices to work, but it certainly does stop organisations from having any visibility of what's happening with the data on those devices. Organisations shouldn't be scared of BYOD, there are many advantages once the right policy is in place.
BYOD is a necessity, not a luxury
Depending on the type of organisation and the specific roles of its employees, not all employees will be based at a desk every day. For those employees, being able to access corporate information on the move is simply a requirement of the job. But even those who are mostly desk-based might still need to travel to meetings and access information on the way or during the meeting itself. Of course, if access is restricted, this results in the organisation itself not being as productive as it could be but it also results in employees, who just want to get on with their jobs, being very frustrated and potentially moving on to another organisation where they can enjoy better job satisfaction. It's hard to think of a situation whereby an entire organisation would never need to access information on the go.
The EU GDPR makes it the right time for BYOD
Rather than open up an organisation to more risk, the right BYOD strategy can play an integral role in an organisation's preparation for the EU GDPR. The new regulation applies to any organisation that holds or processes the personal information of any European Union citizen so even once Brexit is triggered, most UK organisations will still need to comply with the regulation. Some of the key tenets of the regulation include putting measures in place to protect sensitive personal information, ensuring that only those who need access to information have it, and ensure that a breach is reported in good time. A strong BYOD strategy will help compliance with all of these things.
Developing the right BYOD strategy
This starts with creating the policy itself and this is where an organisation can ensure its BYOD policy meets the requirements of the EU GPDR as well as any additional industry-related requirements, for example for the healthcare financial services or public sector. As well as creating a policy that works for both the organisation and the employee, the organisation also needs to educate their employees around the BYOD policy and the EU GDPR so they understand the consequences of breaking the policy. Enterprise Mobility Management (EMM) is also paramount to securing the BYOD policy as it enables the organisation to establish processes for managing issues such as lost or stolen devices and what to do when an employee leaves.
Ensuring efficiencies and avoiding the fines
One of the best ways to ensure efficiencies and continued productivity is to ensure that employees are on board with your BYOD policy. This means making sure that, as part of the BYOD strategy, employees can easily configure their devices and easily, but securely, access what information they need. Ease-of-use should be a priority; if it's difficult or time-consuming to access the information, employees may find workarounds and this is where your BYOD strategy fails.
Some employees can also be concerned about the privacy of the personal data on their own devices and the ability of the organisation to access and or destroy everything. EMM solutions often include container security that can separate the apps and data into a personal container and a corporate container, which helps to combat any concerns around this and makes it easy when employees move on.
BYOD, EU GDPR and the network
It's not just employees themselves that expect to be allowed to access an organisation's network today, it's also guests, visitors and business partners who attend meetings or workshops with existing employees. This and the increase in BYOD means that there has never before been so many endpoints accessing the network. In addition to the number and variety of devices, there is also the volume of different applications with which these devices are accessing the network. To secure your network in this scenario, organisations need to consider solutions that offer granular control over access whereby they can monitor and manage mobile device sessions both on-premise as well as over a secure SSL VPN.
Organisations that steer away from BYOD because they fear it will cause a data breach which could cost them four percent of their annual global turner, or €20 million, whichever is greater, are wrong to do so. There is no reason why a well-managed and well-understood BYOD policy should increase the risk of a data breach. In fact, this kind of BYOD policy can be a great place for organisations to start when preparing for the EU GDPR and ensuring their preparations don't restrict the productivity of their employees.
Contributed by Paul Donovan, EMEA sales director, Pulse Secure
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.