Confident Response Series: Bring Your Own Device (BYOD)

BYOD – A PRACTICAL SOLUTION OR A RISK TOO FAR?

For our fourth Confident Response Series with Kroll last year, we had our speakers Gerallt Owen – Managing Director, Kroll Cyber Singapore, Bryan Tan – Partner, Pinsent Masons Singapore, and Jenny Zhuang – Of Counsel at Dentons Hong Kong, and Steve Tunstall - General Secretary at PARIMA, as moderator for a 45-minute session on the use of BYOD and how to navigate the risks associated with it.

Gerallt Owen introduced Bring Your Own Device (BYOD) as an "𝐨𝐫𝐠𝐚𝐧𝐢𝐬𝐚𝐭𝐢𝐨𝐧𝐚𝐥 𝐩𝐨𝐥𝐢𝐜𝐲 𝐭𝐡𝐚𝐭 𝐚𝐥𝐥𝐨𝐰𝐬 𝐞𝐦𝐩𝐥𝐨𝐲𝐞𝐞𝐬 𝐭𝐨 𝐮𝐬𝐞 𝐭𝐡𝐞𝐢𝐫 𝐨𝐰𝐧 𝐞𝐥𝐞𝐜𝐭𝐫𝐨𝐧𝐢𝐜 𝐝𝐞𝐯𝐢𝐜𝐞𝐬 𝐭𝐨 𝐚𝐜𝐜𝐞𝐬𝐬 𝐭𝐡𝐞 𝐨𝐫𝐠𝐚𝐧𝐢𝐬𝐚𝐭𝐢𝐨𝐧'𝐬 𝐢𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧, 𝐢𝐧𝐜𝐥𝐮𝐝𝐢𝐧𝐠 𝐩𝐞𝐫𝐬𝐨𝐧𝐚𝐥 𝐝𝐚𝐭𝐚 𝐜𝐨𝐥𝐥𝐞𝐜𝐭𝐞𝐝 𝐛𝐲 𝐭𝐡𝐞 𝐨𝐫𝐠𝐚𝐧𝐢𝐬𝐚𝐭𝐢𝐨𝐧."

Due to COVID-19, many firms were able to implement business continuity plans to facilitate remote working as countries worldwide are increasingly embracing work-from-home culture. However, other businesses were unprepared for the fast-evolving situation and shift in the workforce. They were forced to find quick technology solutions to adapt and resorted to BYOD without realising the additional risks to the business and their employees.

Although the practice of BYOD is not new, the pandemic has catapulted BYOD as a significant force across the business landscape. The adoption of BYOD increases the organisation's exposure to malware, legal and regulatory risks, data theft, and data loss. It drives firms to establish administrative, physical, and technical measures to ensure robust protection.

𝗧𝗵𝗲 𝗶𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝗰𝗲 𝗼𝗳 𝗮 𝗕𝗬𝗢𝗗 𝗽𝗼𝗹𝗶𝗰𝘆 𝗼𝗻 𝘁𝗵𝗶𝗿𝗱 𝗽𝗮𝗿𝘁𝘆 𝗹𝗶𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗿𝗶𝘀𝗸𝘀 𝗮𝗻𝗱 𝗲𝗺𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁 𝗿𝗲𝗹𝗮𝘁𝗶𝗼𝗻𝘀𝗵𝗶𝗽𝘀. 

According to Jenny Zhuang, "𝐖𝐡𝐞𝐧 𝐞𝐦𝐩𝐥𝐨𝐲𝐞𝐫𝐬 𝐬𝐡𝐨𝐰 𝐭𝐡𝐚𝐭 𝐢𝐭 𝐡𝐚𝐬 𝐢𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭𝐞𝐝 𝐚 𝐁𝐘𝐎𝐃 𝐩𝐨𝐥𝐢𝐜𝐲, 𝐡𝐚𝐬 𝐠𝐨𝐨𝐝 𝐠𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞 𝐚𝐧𝐝 𝐢𝐧𝐭𝐞𝐫𝐧𝐚𝐥 𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐬 𝐢𝐧 𝐩𝐥𝐚𝐜𝐞 𝐰𝐡𝐞𝐧 𝐚 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐛𝐫𝐞𝐚𝐜𝐡 𝐨𝐜𝐜𝐮𝐫𝐬, 𝐢𝐭 𝐡𝐚𝐬 𝐚 𝐠𝐫𝐞𝐚𝐭𝐞𝐫 𝐜𝐡𝐚𝐧𝐜𝐞 𝐨𝐟 𝐬𝐚𝐭𝐢𝐬𝐟𝐲𝐢𝐧𝐠 𝐭𝐡𝐞 𝐫𝐞𝐠𝐮𝐥𝐚𝐭𝐨𝐫𝐬 𝐭𝐡𝐚𝐭 𝐢𝐭 𝐡𝐚𝐬 𝐝𝐨𝐧𝐞 𝐞𝐯𝐞𝐫𝐲𝐭𝐡𝐢𝐧𝐠 𝐢𝐧 𝐢𝐭𝐬 𝐩𝐨𝐰𝐞𝐫 𝐭𝐨 𝐦𝐢𝐭𝐢𝐠𝐚𝐭𝐞 𝐚𝐠𝐚𝐢𝐧𝐬𝐭 𝐭𝐡𝐞 𝐫𝐢𝐬𝐤𝐬 𝐨𝐟 𝐜𝐲𝐛𝐞𝐫-𝐚𝐭𝐭𝐚𝐜𝐤𝐬 𝐚𝐧𝐝 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐛𝐫𝐞𝐚𝐜𝐡𝐞𝐬."

From the employee's perspective, they need to understand that BYOD may allow an employer to have a limited but reasonable right to access their personal devices, along with proper communication and training.

In terms of obligations, Bryan Tan shared, "𝐖𝐡𝐞𝐧 𝐚 𝐝𝐚𝐭𝐚 𝐛𝐫𝐞𝐚𝐜𝐡 𝐚𝐟𝐟𝐞𝐜𝐭𝐬 𝐩𝐞𝐫𝐬𝐨𝐧𝐚𝐥 𝐝𝐚𝐭𝐚 𝐢𝐧 𝐩𝐨𝐬𝐬𝐞𝐬𝐬𝐢𝐨𝐧 𝐨𝐟 𝐚𝐧 𝐨𝐫𝐠𝐚𝐧𝐢𝐬𝐚𝐭𝐢𝐨𝐧 𝐨𝐫 𝐮𝐧𝐝𝐞𝐫 𝐢𝐭𝐬 𝐜𝐨𝐧𝐭𝐫𝐨𝐥, 𝐁𝐘𝐎𝐃 𝐝𝐞𝐯𝐢𝐜𝐞𝐬 𝐨𝐟 𝐚𝐧 𝐞𝐦𝐩𝐥𝐨𝐲𝐞𝐞 𝐢𝐬 𝐬𝐭𝐢𝐥𝐥 𝐮𝐧𝐝𝐞𝐫 𝐭𝐡𝐞𝐢𝐫 𝐜𝐨𝐧𝐭𝐫𝐨𝐥. This obligation is enforced albeit, with the increased financial penalty caps that have not been put in, it is still mandatory to notify of the breach."

Further, into the discussion, he emphasised the 𝐧𝐞𝐜𝐞𝐬𝐬𝐢𝐭𝐲 𝐨𝐟 𝐫𝐞𝐢𝐧𝐟𝐨𝐫𝐜𝐢𝐧𝐠 𝐜𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐨𝐟 𝐁𝐘𝐎𝐃 𝐩𝐫𝐨𝐭𝐨𝐜𝐨𝐥𝐬 𝐰𝐢𝐭𝐡 𝐚 𝐜𝐨𝐦𝐛𝐢𝐧𝐚𝐭𝐢𝐨𝐧 𝐨𝐟 𝐩𝐨𝐥𝐢𝐜𝐲, 𝐥𝐞𝐠𝐚𝐥 𝐚𝐧𝐝 𝐜𝐨𝐧𝐭𝐫𝐚𝐜𝐭𝐮𝐚𝐥 𝐦𝐞𝐚𝐬𝐮𝐫𝐞𝐬. In allowing BYOD, organisations are responsible for protecting private information about employees, and any protective measures implemented by the organisations should also respect such personal information. 

Wrapping up the session, the speakers shared their key takeaways for risk managers to mitigate the risks that come with BYOD.

• The solution is to realise the importance of taking proper measures before any situation occurs. The key is to implement security systems to cover any potential risks.
• Risk managers should consider turning their attention to revamping policy issues and mitigating liability risks with good corporate governance. 
• Besides BYOD, 𝐑𝐞𝐦𝐨𝐭𝐞 𝐃𝐞𝐬𝐤𝐭𝐨𝐩 𝐏𝐫𝐨𝐭𝐨𝐜𝐨𝐥 (𝐑𝐃𝐏) is another security risk most often overlooked by organisations. As risk managers, it is critical to ensure security in accessing remote desktops with virtual desktop and software solutions.

Access more of the sessions at www.parima.org/confident-response-series.

__________________________________________________________________________

The PARIMA 𝐂𝐨𝐧𝐟𝐢𝐝𝐞𝐧𝐭 𝐑𝐞𝐬𝐩𝐨𝐧𝐬𝐞 𝐒𝐞𝐫𝐢𝐞𝐬 aims to bring one session every quarter to help risk managers fine-tune their incident response preparedness and understand the latest tactics, techniques, and procedures from the most successful cybercriminals, leading to deeper collaboration with business partners and mitigation of technical, legal, and reputational risks.