Half of all firms which allow staff to bring their own device, but don’t have any firm information security policies or practices around BYOD, have suffered a security breach – according to Dell, and as reported by Out-law.com.
A Dell executive director is reported to have said: “we would not advise customers to simply let users bring in any device at all. In fact, what we’ve found is that customers that have allowed a BYOD policy, that have allowed end users to bring in anything that they want, 50% of those companies experienced a security breach.”
I’m surprised it’s only 50%; I suspect that the other 50%, the ones who haven’t reported a security breach, only haven’t reported one because they don’t know that it has occurred. Adequate staff awareness and effective information security incident reporting is, still, a minority activity – organisations that would allow staff to use insecure personal devices for corporate tasks are, by definition, unlikely to be among the minority of organisations who take these things seriously.
BYOD should only be rolled out after a properly informed risk assessment and deployment should be built around a clear policy and comprehensive Acceptable Use Agreement – in fact, whether you’re thinking of implementing BYOD or of overhauling an existing BYOD scheme, your best starting point is this BYOD Policy Template Toolkit.