THE ALLURE OF THE POTENTIAL COST SAVINGS OF BRING YOUR OWN DEVICE PROGRAMS IS TOO GREAT FOR MANY AUSTRALIAN ORGANISATIONS TO RESIST.
Not only do the financials of Bring Your Own Device (BYOD) programs look good (the immediate cost savings from the organisation not purchasing the handsets or paying the service plan fees), the organisation is seen as progressive and understanding by allowing employees to pick their own device and avoid the growing phenomenon of carrying two devices, one for work and one for personal use.
In the rush to realise these cost savings with a BYOD program for smartphones and tablets (for example) often overlooked are the numerous and complex risks issues that arise, ranging from information security, general regulatory and privacy compliance through to unhappy employees when the “wipe” command is given and the relevant employees lose years of not backed up irreplaceable family photos and videos!
Based on our experience assisting clients in this space and the results of numerous surveys, BYOD smart phones and tablets are the “Achilles heel” of the IT security of most organisations and the technology most often (by a long way) involved in cyber-attacks, data breaches and general privacy issues.
Of course the risks inherent in a BYOD program are not insurmountable or particularly new, often having been dealt with in respect of other parts of the organisation’s IT infrastructure and security (eg for laptops and work smart phones).
In practice, however, we see many Australian organisations simply not address, often not even consider, the potential risks and issues arising from their BYOD program, let alone implement the appropriate policies or risk management framework. In some of the most extreme cases we have seen BYOD programs run without any involvement of the IT or compliance teams, with no understanding that such devices are part of the organisation’s IT infrastructure and therefore no consideration or application of the IT risk management plan or processes or addressing the need for these devices to be treated and managed as part of the organisation’s wider IT systems/infrastructure.
Your general security obligations
It is now over six months since the Australian Privacy Principles (APPs) took effect on 12 March 2014 and yet many organisations still do not appreciate their legal obligation under the APPs (in particular APP 11) to “take such steps as are reasonable in the circumstances to protect the [personal] information from misuse, interference and loss and from unauthorised access, modification or disclosure”.
The Privacy Commissioner has outlined what these “reasonable steps” are to fulfil this security obligation in a 32 page Guidance (which is currently being updated and we expect will be finalised and reissued soon, with no material changes from the existing Guidance). In our experience at least 40% of the measures suggested by the Commissioner as “reasonable steps” necessary to meet an organisation’s security obligations under APP 11 will take most organisations by surprise. Our analysis of the information security obligations of Australian businesses under the Privacy Act can be found in our earlier Update on security obligations.
In addition to the security obligations imposed by the APPs, as explained in our recent Update on cyber risks and the impact on company directors, it is also clear that the security of personal information held by an organisation and management of cyber risks are now part of the duty of care and diligence of a director owed to the organisation. Failure to consider and plan for such at Board level may result in, among other things, liability of the directors for breach of their duty of care and diligence.
So how does your organisation mitigate the risks? What are the key elements of a BYOD program?
First and foremost it is fundamental to know and understand the unique risks posed by a BYOD program (or, for that matter, any technology) to the organisation and determine and prioritise which risks are to be dealt with, in what manner and with what resources.
