Comment: Managing security and the implications of BYOD
by Mark Pearce*
There is a revolution taking place in the world of wireless networking solutions. Take Christmas Day in 2012 for example, when 17.4 million Apple and Android mobile devices were activated. To put that into perspective, that’s two-and-a-half-times the previous record set on Christmas Day 2011.
Those wireless devices are not just staying at home. They are coming from the shopfloor, into work and into the boardroom. Quite simply, anywhere that people go, their wireless devices are going along for the ride. While corporate wireless networks may be experiencing more demand now than ever before, the truth is that this is just the beginning and law firms will have no choice but to adapt their strategies and working practices in response.
With competition amongst law firms being fierce they have had to look for ways to provide their clients with value added services at competitive rates. Both lawyers and their clients need efficient ways to communicate and collaborate using secure and reliable technologies. The workforce has turned increasingly mobile and more members of staff are preferring to use their own devices at work.
Consumer electronic devices such as smart phones and tablet computers have seen a huge rise in popularity, available features and capability. Many law firms are faced with demands from employees, board members or even customers wishing to use these devices in the workplace to carry out their jobs. This might mean that the individuals’ own devices are used to access and store corporate information, as well as their own. This trend is commonly known as bring your own device or BYOD.
The underlying feature of BYOD is that the user owns, maintains and supports the device. This means that the IT department will have significantly less control over the device than it would have had over a traditional corporately owned and provided device. The security of the data held on the BYOD device is therefore a primary concern given that the IT department may have a large number and a wide range of devices to consider.
What to consider
One of the issues with BYOD devices is that today’s mobile devices have a huge storage capacity and provide instant access to the Internet, to social networks and to email, resulting in the information that ends up being stored on the devices to be outside the control of the organisation. The organisation also needs to take into account compliance with the Data Protection Act 1998 (the DPA). The DPA requires that businesses must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
As organisations in the legal sector handle highly sensitive information that can be used during litigation proceedings, security and monitoring capabilities are critical. Thanks to mobile device management (MDM) and mobile application management (MAM) solutions, legal businesses can ensure that all compliance requirements are met and data is secure.
An effective BYOD policy can contribute towards a number of benefits for a legal firm, including improved employee job satisfaction, overall morale boost, increased productivity and increased flexibility. A study by analyst firm, Forrester found that 33% of respondents had spent their own money on devices to help them do their job. The upshot is that more people have a higher level of comfort in using technology than ever before. The mobility boom can be traced to two converging trends: the desire for employees to be responsive to customers and colleagues in a global, always-connected world and a desire to save money by not replicating a device that employees may already own. In a way, you could say that mobility has solved one of the hardest aspects of deploying applications – getting users excited.
How to approach BYOD
Before allowing BYOD working practices, law firms need to ask themselves:
· Is our wired and wireless network prepared?
· Is it up to the job of supporting the surge in devices wishing to connect to our corporate network?
The truth is, this is just the beginning of the mobility trend. Projections indicate we can expect the number of BYOD devices to continue to skyrocket, with more devices, applications and traffic demands on the way. It is essential to know:
· How many devices will be entering the network?
· What they are (Apple, Android, Windows etc)?
· What they are being used for?
Finally the capability to have a level of visibility of the network layer is critical. Amazingly, many law firms haven’t considered this. Therefore, the first important step is to review the capabilities of the existing IT infrastructure and ensure it is fit for purpose.
The BYOD policy
Once the network infrastructure is in place and ready to support BYOD, it is important that users connecting their own devices to the legal network clearly understand their responsibilities. This is where a BYOD policy comes into play. Don’t forget that an important component of any policy is audit and on-going monitoring for compliance. Regular checks will ensure that the policy is being adhered to.
12 Top tips for law firms to consider when drafting a BYOD policy:
1. Implement and maintain an Acceptable Use Policy to provide guidance and accountability of behaviour to staff
2. Consider your need for a Social Media Policy as BYOD leads to an increased use of social media
3. Be clear about which types of personal data may be processed on personal devices and which may not
4. Research the legal implications of BYOD in order to assess and managed the risks
5. Include all relevant departments (including IT & HR) and the end users in the development of an Acceptable Use Policy
6. Use a strong password to secure the devices
7. Use encryption to store data on the device securely
8. Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times
9. Ensure that the device automatically locks if inactive for a period of time
10. Make sure users know exactly which data might be automatically or remotely deleted and under which circumstances
11. Maintain a clear separation between the personal data processed on behalf of the law firm and that processed for the device owner’s own purposes, for example, by using different apps for business and personal use
12. Outline which mobile devices will be allowed e.g. Apple, Android, Windows etc
Through the communication of a strong mobile device acceptable use and security policy, law firms can define user conduct, support policies, IT support responsibilities, and security controls and features with very little room for confusion. These documents provide general use guidelines for users accessing the law firm network and deliver a framework for conduct for staff and guests alike.
It is also important to appoint a leader. A BYOD solution should not be a responsibility that goes hand in hand with the many other day-to-day IT management tasks. Appoint a member of staff to be a cross-functional leader who will oversee the BYOD strategy as a whole. Ensure adequate time is taken to plan appropriately, make sure you know which devices you will and won’t support.
Lastly, review policy compliance regularly – there’s no point in setting policies if they’re being violated and content isn’t secure.
* Mark Pearce is the strategic alliance director at Enterasys Networks. www.enterasys.com