Bring Your Own Device is, at face value, simply a matter of workers using their laptops, tablet PCs and smartphones for business purposes. Scratch beneath the surface, however, to reveal a number of information security and privacy issues. The distinction between ownership and control of the data versus the device has ramifications since workers are likely to consider some of the information on their devices private, while the organization needs to protect and secure business data which implies control of the device.
Internet of Things presents a heady mix of risks and opportunities with substantial commercial, safety, privacy and information security challenges, and sociological implications. IoT revolves around smart IT devices (“things”) that communicate via networks. The nature, purpose and capabilities of those smart devices, and the way they are networked and controlled, vary widely in practice.
IoT and BYOD – the perfect storm?
From an ordinary worker's perspective, BYOD is simply about working on his/her choice of ICT devices, rather than having to use those provided by the organization. What difference would that make?
- Ownership and control of the device is distinct from ownership and control of the data;
- The lines between business use and personal life are blurred;
- The organization and workers may have differing expectations concerning security and privacy;
- Granting access to the corporate network, systems, applications and data by assorted devices, most of which are portable and often remote, changes the cyber risk profile;
- Increasing technical diversity and complexity leads to concerns over supportability, management, monitoring etc.
In the corporate context, IoT is more than just installing and accessing assorted things through the Internet and/or corporate networks. Securing things is distinctly challenging when the devices are technically and physically diverse, often inaccessible with limited storage, processing and other capabilities (particularly security). If they are delivering, enabling or supporting business- or safety-critical functions, the associated risks may be serious or grave.
- Introduce IoT and BYOD, setting the technology and business contexts particularly, and drawing out the information risks;
- Explain typical information security controls relevant to IoT and BYOD;
- Motivate IoT and BYOD users to recognize and deal with the information risks, security and privacy aspects;
- Help managers and specialists appreciate both the risks and the opportunities presented by IoT and BYOD, developing corporate approaches, strategies, policies and procedures accordingly.
What about your learning objectives in relation to IoT and BYOD security. Are there any specific concerns, perhaps recent incidents or recurrent issues that need to be understood and addressed more effectively? Are things used in your buildings, perhaps on the shop floor and warehouses? Are workers using wearables for legitimate work purposes … or simply because they love their shiny new toys? These are all good reasons to spread awareness far beyond the IT Department and even traditional IT users, and they are potential sources of relevant anecdotes, case study materials, perhaps even guest speakers for your awareness sessions.
By the way, if management essentially has no idea which devices and things are in use, by whom, where and for what purposes within the organization, that alone begs governance questions about their control, ownership and security. Compiling and maintaining an inventory is not an unreasonable place to start … but who should take on that responsibility? [Hint: look at the job description in the module!]
BYOD and IoT security awareness
This awareness and training module concerns the information risk and security aspects of BYOD (Bring Your Own Device) and IoT (Internet of Things).