BYOD and cybersecurity issues
Mis à jour : il y a 19 heures
More and more employees are using their personal IT tools in a professional context. For example, an employee may use his or her personal computer, tablet or smartphone to access internal resources to carry out his or her duties in the company. This phenomenon is called BYOD, for Bring Your Own Device.
What risk ?
It must be borne in mind that the information system is a whole, a single weak link can weaken the whole. The computer network allows information to be shared, but also allows malicious code to be spread. The lack of control over the use of devices by employees quickly becomes a problem.
In most cases, personal terminals do not have the same level of security as company terminals. Indeed, on a personal terminal, a user installs the software of his choice, with the configuration of his choice. Antivirus software is not necessarily up to date, or even non-existent.
Thus, even if BYOD can be practical, it can still entail significant risks for the company and be a source of leakage of sensitive data for the company (whether voluntary or involuntary).
How to secure / protect yourself ?
It is important to remember that the employer is responsible for the security of his company's personal data, including when it is stored on terminals over which he does not have physical or legal control, but whose use he has authorised to access the company's IT resources. If no rules are established and/or respected, the company risks a breach of availability, confidentiality and/or integrity.
It is therefore necessary to identify the risks that may be involved in authorising BYOD so that measures can be put in place to reduce them. For example, by drafting a charter to be respected, which will aim to :
Inform and raise awareness among users;
Formalise everyone's responsibilities and create a culture of cyber security within the company;
Specify and explain the precautions to be taken. For example:
Requiring compliance with basic security measures such as locking the terminal with a password in line with good practice and using an up-to-date antivirus
Make the use of personal equipment subject to prior authorisation by the network administrator and/or the employer.
Provide a procedure in case of failure/loss of the personal terminal.
The other possibilities
Less well known than BYOD, two other trends exist: COPE and CYOD.
COPE (Corporate Owned, Personally Enabled) allows companies to choose and finance the equipment that their employees will use. The latter can use it for professional or personal purposes. In this case, it is the company's IT department that manages the equipment and creates two different, partitioned dedicated spaces, thus avoiding the risks encountered with BYOD mentioned above.
CYOD (Choose Your Own Device), on the other hand, allows employees to choose their mobile equipment from a list predefined by the IT department. With the help of tools such as MDM (Mobile Device Management), the IT team can manage updates, software installations and, in the event of theft or loss, remotely erase data. Note that personal use of equipment is not automatically granted by the company.
Whether it is BYOD, COPE or CYOD, it is important to remember that labour law requires the employer to provide its employees with the means necessary to carry out their professional tasks. The use of personal IT tools for professional purposes does not allow for exemption from this obligation.
Related topics :
MDM = Mobile Device Management
MIM = Mobile Information Management (aussi appelé MCM = Mobile Content Management)
MAM = Mobile Application Management
These topics will be covered in a future blog post.
Would you like to be informed of our news and receive our latest blog articles directly in your mailbox ? Subscribe to our monthly newsletter !
Would you like to discuss your difficulties, your needs, our offers ? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts !