GCHQ has drafted new BYOD guidance to public and private sector organisations that wish to allow employees use their personal devices for work purposes. The draft of Bring Your Own Device (BYOD) Collection guidance, part of the National Cyber Security Programme, has been developed by the Communications-Electronics Security Group (CESG) and the Centre for the Protection of National Infrastructure (CPNI).
The aim of the guidelines is to detail “the key security aspects to consider in order to maximise the business benefits of BYOD while minimising the risks.” The document also stated: “With the rapid increase in the use of mobile devices – and the growth of remote and flexible working – staff now expect to use their own laptops, phones and tablets to conduct business.”
The guidance has been produced for private and public organisations, and will also be for companies involved in the UK’s critical national infrastructure, including transport, energy and banking companies. The draft also encourages organisations in the public sector at the lowest security standard – ‘official’ – to look for further guidance from CESG prior to implementing a BYOD program. For organisations that have already adopted BYOD policies, such as Camden Council, it is not clear where the guidelines leave them.
The guidelines provide eight security aspects that organisations should consider before implementing a BYOD program:
1. Understand the legal issues.
2. Create a BYOD policy.
3. Limit the information shared by devices.
4. Encourage staff agreement.
5. Consider using technical controls.
6. Anticipate increased device support.
7. Plan for security incidents.
8. Consider alternative ownership models.
The guidelines also suggest organisations consider other options, including letting staff choose their own corporately owned device, or allowing staff to use corporate devices for personal tasks.
By Allie Philpin