Last updated: 
3 months 2 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

BYOD: Doing Security Together

Friday, December 13, 2013 - 11:22

Presenting at the Jisc’s Safer Internet Day event got me thinking a bit more about the shared interests between owners and organisations in a BYOD scheme, and the opportunity that might present. For many years I’ve liked the idea of helping users be safe in their personal Internet lives (where motivation should be a matter of self-interest, rather than "having to comply with policy") and improving workplace safety as a side-effect. BYOD is an ideal place to do that, since company and personal information are on the same device and protected (or not) by the same behaviours of the device owner.

Thinking about mobile devices, there seem to be five main areas where safe behaviour makes a difference; at least the first three of these have benefits on non-mobile devices too:

  • Backups: saving the right information to the right place at the right times;
  • Security: knowing how to use passwords etc. to protect access; how to download software and documents safely; how to use patches, anti-virus, firewalls and choose the right configuration options; how to detect when things go wrong;
  • Separation: using different accounts and directories/folders to separate information; when to use encryption and what not to view or discuss in public places;
  • Wiping: knowing when and how to trigger remote wiping of a device (getting backups right makes this less of a nuclear option);
  • Location: knowing when and how to use remote device location to increase the chance of getting lost hardware back.

For BYOD I suspect that organisations probably need to set the rules for wiping and backups, though those rules may still say that the owner does them. Wiping is the ultimate protection for the organisation’s information on the device and, as one council recently discovered, getting backups wrong may be the easiest way for the owner to expose that information to unwanted risks. Security and separation offer opportunities to balance what the owner is prepared to do against the information and services they are allowed to access from the device. A benefit of making this trade-off explicit should be that if the user understands that certain information requires a level of intrusiveness that they don’t want, there should be less temptation to work around the prohibition. Providing wiping is done, location of a BYOD device seems to be entirely the owner’s choice: it’s their device, after all! That’s a good thing, as the ICO expressed serious concern about potential misuse of location/tracking functions on a device that might be expected to be borrowed by the owner’s family or friends.