If you are considering a Bring Your Own Device – or BYOD – policy for your business then there are several considerations you need to keep in mind.

Don’t just announce the policy and let employees start using their personal device for all work-related tasks. Sure there are benefits, but you will only realise these will a well-thought-out policy, which is openly shared with all.

1. Understand and measure the business benefit. Don’t just do it because the devices look nice.

2. Don’t store any data on the devices if possible. If you have to then ensure it’s encrypted.

3. Think about Internet controls within the business. You need to ensure that people remain productive.

4. Understand what you will do if the device has a fault or fails. How will that employee work for a day or two?

5. Keep installs on the device to a minimum. The more you install the more you have to manage, secure and support.

6. Make sure your wireless will support the additional devices. Many existing wireless solutions won’t cope with the load.

7. Isolate the devices from your network, even when in the office. You can’t control their security so zone them off.

8. Know which devices you will support. Don’t just allow anyone to use any device to connect.

9. Update your acceptable use policies. Employees need to know what their responsibilities are.

10. Plan your infrastructure first. Don’t just allow devices access, and then identify risks and controls as you go along.

If you are not sure if BYOD will work for you, then you could consider CYOD instead. Choose Your Own Device gives employees’ a level of freedom whilst still allowing the business to retain central control.

The ISO 27001 standard is a signal that an accredited business is not only taking information security seriously but is committed to continuing upholding that standard. ISO 27001 requires a great deal of commitment to achieve and so if you have the choice between a supplier who is accredited and one who isn’t, go for the one who’s dedicated to keeping a high standard of security.

But the ISO standard isn’t just for checking if an IT support provider is any good, it’s an essential step for any business to take. Therefore, it often comes as a surprise how many business leaders and IT managers seem to be unaware of the standard and the value that it brings.

ISO 27001 is for information security what ISO 9001 is for quality – but it’s much bigger. ISO 27001 has been established by the world’s top experts in the field of information security to provide a methodology for the implementation and management of information security in an organisation. It also enables an organisation to achieve accreditation. Where an independent certification body confirms that information security has been implemented in the best possible way.

ISO 27001 specifically prescribes how an organisation will manage information security through a system of information security management tools and procedures. In essence, it aims to ensure that appropriate controls and management systems are in place to protect a business and its assets, particularly around key IT security areas that include:

1. Confidentiality

By limiting information access and disclosure to authorised users/entities only, and by preventing access by or disclosure to unauthorised users/entities.

2. Integrity

By ensuring that data has not been changed inappropriately, whether by accident or deliberately, i.e. maliciously.  This concept also includes “origin” or “source” integrity. For example, ensuring a company can confirm that any data they receive has actually come from the person identified as the sender.

3. Availability

By ensuring that all key information resources are available.  The loss of key data or downtime on one IT system could put the entire business at risk.

The controls

Businesses and IT systems, in particular, are continually under threat from old, new, known, unknown, internal and external threats. ISO 27001 focuses on identifying all risks to a business, evaluating them, and then putting in controls to mitigate them.

An ISO 27001 system is generally controlled through:

A business must implement, manage and evaluate all these different factors regularly to ensure they continually improve their IT security. An external audit is an essential tool for verifying that all of these systems are in place and working effectively.

Additional benefits of an ISO 27001 accreditation

ISO 27001 is also a business organisational tool which can assist with the following areas:

Summary

It makes sense to choose an IT support provider who is ISO 27001 accredited.  Of course, this standard alone cannot guarantee that a supplier is hyper-secure. However, businesses are still better off choosing to work with an accredited IT support provider because this standard represents a fundamental commitment to IT security.

It is also a good idea to choose an IT support provider who has been ISO 27001 accredited for several years. It can take some time for a provider to ensure the standards applies throughout the entire business.

How can employees’ internet usage put your business at risk?

1. Security risks

An employee browsing potentially dangerous websites without control can open your business to an array of security risks, such as viruses, trojans, spyware – the list goes on. This is because non-work related websites are a major feed of dangerous exploits into the network. These obviously risk to the individual PC but we’ve also all seen the news articles about private companies and the public sector being down for days when a nasty virus gets into the network. I’ve seen this myself a few years ago where the whole IT team and the CIO of a company were flying around the world trying to eradicate a virus that was flooding the network and killing communications.

Your risk also grows as uncontrolled internet access also allows employees to send information in and out of your organisation without control. This can be intentional via webmail or web messenger applications, such as MSN Messenger, Yahoo messenger or Skype. Or it can be unintentionally through spyware, phishing or other vulnerabilities.

I see data leakage prevention as one of the biggest reasons to control internet access. I’ve lost count of the number of times I’ve been alerted of a customer’s employee taking a sales database or confidential documents before leaving a company. It is difficult to erase any risk but you can make it difficult. This area really falls out of the topic of this blog –  if data leakage is a real concern due to the sensitive nature of your data, or your customers’ data then look into data leakage prevention (DLP) products.

2. Legal liability

If you have copyrighted information, such as software, music, videos, even photo’s on your business network, your business could be legally liable for it. Even if an employee downloaded it onto the network without your knowledge or permission, the business, basically the directors could be legally liable.

Uncontrolled internet access does, unfortunately, leave the door open to a whole host of legal issues. Creating an ‘Acceptable Use’ policy for your IT will help. An effective EIM system will take that further and go a long way to controlling the issue.

3. Waste of bandwidth

Your internet connections are typically the main artery for your business, the main communication line between your business, its customers, and its suppliers. If your employees are downloading non-work related files, listening to music or watching the news then you’ll be paying for that. What do you do when people say that internet browsing is slow? You typically put your hand in your pocket to ‘upgrade the line’.

I can tell you that in at least 70% of cases that I come across when people tell me they need to upgrade connectivity (internet or WAN connections) they actually don’t. They just need to route, control and shape the traffic on their networks more efficiently.

4. Reduced productivity

Your employees’ browsing the internet during work time costs your business money. The average employee spends 15 minutes of time browsing the internet during working time (excluding breaks) for non-business related purposes. This may not seem much but that’s 10 hours a day for a 40 computer-based employee company.

You may say that 15 minutes a day, on top of breaks and lunchtimes, is acceptable, and that’s fine. However that’s an average, and I’ve pulled reports showing some users wasting an hour or more a day on non-work-related internet activity.

If you just say that your employees are all on the minimum wage then it’s costing well over £1,000 per week just on browsing time alone for a 40 user organisation, without taking into account loss of productivity thus loss of potential earnings. The potential for a return on your investment in an employee internet management system should be clear from the start.

It’s not about being Big Brother and locking everything down. Why not quota your employees’ internet access for some non-work-related sites or maybe just allow them access during lunch? This can be managed with virtually all Employee Internet Management systems. If you don’t want people using work machines for non-work related tasks then I suggest that you allow access to dedicated ‘internet workstations’ that staff can use to perhaps to book a holiday or to check their bank balance. These workstations can be given their own internet connection or they can be secured from the main company network – most firewalls/networks can do this.

What about social media?

Should Twitter Facebook and LinkedIn be restricted?

Facebook, Instagram and Twitter? Are these really of any use to an organisation? There will always be exceptions to the rule, but generally, I don’t see why anyone needs access during work hours. You probably wouldn’t be too happy about the whole company sitting on their desk phones chatting to their mates in the day, so why should they do the same through your IT systems?

I was asked if LinkedIn was a security risk the other day, and I guess the question more or less applies to all social media. It does tend to fall under the control of the IT security department, in terms of EIM, as it ‘can be’ classed a productivity killer. It is often bundled into the social media categories with Facebook, Twitter, etc. Is it a risk itself to security? Not directly. You could, however, argue the social engineering card, but that could be done in other ways and you are straying into paranoia territory. There are always exceptions but generally, it’s safe in my opinion.

It all sounds pretty negative but it’s not something to panic about. I do however believe it’s worth thinking about the issues and looking at some sort of control. There are a vast array of Employee Internet Management systems on the market, some more effective, some cheaper and some more expensive than others. The ROI is usually pretty easy to measure and all vendors should offer a free trial to help you gauge the issues within your environment. I should note that I’ve seen Employee Internet Management systems pay for themselves within month 1.

Here’s a list of some EIM vendors

Many vendors now also offer cloud-based services, so you don’t have to purchase hardware and software to install on your own network. Again, your business and its operations will determine if cloud is the right solution. Typically, you’ll probably lose some level of functionality/control with the vendor run cloud-based services over internal hardware/software solutions.

If you want to look at implementing some controls then speak to your IT provider or seek expert advice. All the solutions vary and although most solutions will control Internet access some solutions will be better than others. Fitting the right solution depends on your business and its operations.

And remember it’s not all about the technology. Changing employee’s internet access is a contentious issue and could lead to some unhappy people if not managed correctly. I’d suggest that you explain that the main driver for control is IT security – because it is.