The whole Bring Your Own Device (BYOD) trend seems to be “the perfect storm”, but perfectly addressable through the security issues ISO 27001 addresses.
However, a quick Google reveals some interesting and disturbing statistics.
75% of IT directors see BYOD as their major threat.
60% (or more) of all employees are using their own devices at work.
33% see absolutely no problem with doing this in respect of security risks.
Occasionally I wake up in the morning and thank God that I’m not a head of IT. The implications of a breach of security in terms of damage to corporate image, customer relations, and ultimately revenue don’t bear consideration. Or do they?
Now, I’m in the quality standards business, so you may be slightly ahead of me here in thinking that I’m matching this threat with something I offer as a service, and this piece is simply a long advertisement. Well, actually, you’d be quite right. Implementation of the ISO 27001 security standard can be a significant weapon against the very real threat.
Some Suggestions:-
1/ Face The Problem. It’s going to happen anyway, driven by the device market. I’m regularly amazed that many corporates believe that BYOD is a social media-driven fad. The whole business of implementing standards, including ISO 27001 is based around application of agreed standards of honesty and (occasionally painful) reality.
2/ Face The Opportunity. A lot less PCs to buy, software upgrades to tackle, and productivity benefits of mobile working across the enterprise. And the chance to spring-clean your IT security policies at the same time.
3/ Have a Strategy. It’s not hard, but it is necessary. BYOD needs fair policing across the business, otherwise inequalities develop and cyber-anrchy may follow. Remarkably, many do not have a plan. See below.
4/Have a Overall IT Strategy. If you’re sorting this particular challenge out, you might as well set policies, standards and procedures across the whole of your IT activity.
5/ Have a Holistic Vision of The IT Function. ISO 27001 security isn’t actually about IT, but systematic management, which embraces many functions and areas of responsibility. Specifically for BYOD, there are (or need to be) HR, security and legal implications, which will have organisation-wide implications.
6/ Make Policies and Procedures Simple. Less fuss and hassle means buy-in from employees is more likely. A well-written and researched overall ISO 27001 security policy should serve the business, not the other way around. Willing cooperation and adoption comes easily when the rules are easy and everyone knows them. Nothing breeds non-compliance faster than complexity.
7/ Review and Amend. The ISO 27001 security standard should include a process to monitor, evaluate and alter, otherwise it becomes static and irrelevant. It’s a start, not an end. The IT function is likely to be the most dynamic in the company, and hence a regular audit should be made part of the overall procedure. Reviews should seek to simplify rather than supplement and complicate.
8/ It’s Not Just a Security Issue. As the BYOD ”challenge” becomes more of a major issue, potential customers are likely to expect it before they release their commercially-sensitive data to you. There are key commercial benefits of holding ISO 27001.
So, it’s not difficult to be ready for the issues that are rapidly emerging, neither is it expensive. And it may just benefit many other areas of your business….
Written by Colin Brown of ISO Consultants