Firms looking to roll out bring your own device (BYOD) schemes should never be tempted to let staff store corporate information on their personal devices, according to security experts speaking at the V3 Security Summit on Tuesday.
The rush to use tablets and smartphones for work purposes has led to many organisations being forced to take a stand on the issue, and decide whether to let employees use their own devices to access corporate applications, provide them with a device directly or the funds to buy an authorised one.
However, this brings new security challenges to IT departments over managing the influx of mobile devices accessing the network, and the best approach to take to information access.
According to Richard Mardling, strategic business director at identity management specialist AurionPro SENA, whatever approach firms take, allowing business data to be stored on a personal device is never a sensible option.
“I’d be uncomfortable about people storing corporate information on personal devices because you don’t have control over the personal device,” he said, during the V3 Security Summit session on eliminating the security risk from BYOD.
“The only way you can do that is to start to put applications onto that device to control it or get the employee to sign up to quite stringent acceptable use policies, which they might not want to do as it’s their personal device, it’s not the property of the organisation.”
Mardling advised firms to instead look for ways to store, manage and control information accessible via the device within the network, rather than on the device itself.
Andy Bushby, technology director for Information Security at Oracle, said that allowing staff to store client or other sensitive data on their own devices would have implications around the Data Protection Act and new European privacy legislation coming up.
“That in reality means encryption, so you’re going to start encrypting at least a part of someone’s device,” he said.
“And then there’s questions around how do I make sure they’ve wiped that when they leave, and has the user given me the right to do that. If you store information on a personal device, it makes it a more complicated process if they leave or the device is lost or stolen, than storing the data in the infrastructure.
"It’s best to have a security platform that means if someone leaves, they’re turned off for every device and application, and so have no access to sensitive information.”