BRING YOUR OWN DEVICE1
Bring Your Own Device: Dangers
[Author Name(s), First M. Last, Omit Titles and Degrees]
[Institutional Affiliation(s)]
Bring Your Own Device: Dangers
The universal use of technology gadgets is a common practice that doubles as a convenient way to access and store information. However, a conflict surfaces when personal technology gadgets are used as media to access data that is privileged, that is, that should not be shared. This occurs when we use our home computers, personal smartphones, tablets, or even personal access accounts to obtain information straight from our workplaces. Both, the personal information of the user as well as the data protected by an organization should also remain private. Hence, organizations everywhere must have a protocol in place to impede the use of personal technology to access information that is not open to the public. This analysis will show the dangers of the Bring Your Own Device (BYOD) trend. (Information Commissioner’s Office, ‘ICO’ 2017)
BYOB
BYOB is the tendency to bring personal devices from home to access information from work computers. Although this practice is convenient for employees, and some employers, the fact remains that the data administrators are ultimately the key people responsible for maintaining the safety and security of the information. (Reuters, 2017)
According to the Data Protection Act (DPA) of 1998, all data administrators must have a system in place and a protocol that takes steps to safeguard data. It also requires consequences for unlawful data access, destruction of information, or the accidental loss of it. This entails that these data administrators have a task of protecting information from being accessed or shared, but it also means protecting that the safety of the information of the user. As such, controlling the devices that can gain access to data is then the priority in an effective technology action plan. (Davies, Schiller, Wheeler, 2011 p. 307)
Key problems with accessing data
At the center of the problem with BYOD is that the data that is usually protected by the information technology (IT) department, is now in the hands of whoever owns the device that is being used to access data. This data becomes stored in the user’s personal device, which is protected only by its owner. As a personal device, this gadget may or may not use methods by which information is protected such as:
- Encryption, or the hiding of characters when information is transferred from one device to another
- Password protection, or the requirement of a specific code to access documents
- Blocking users, or a system to prevent others from accessing information
- General safety issues, such as losing or misplacing the device containing sensitive data. (Davies, Schiller, Wheeler, 2011(D, p. 70)
According to Davies, Schiller and Webster, these steps are part of an effective IT auditing team that is based on early involvement, conducts informal audits, engages in knowledge sharing, and continuously self-assesses how effective their protocols and regulations are in safeguarding information. Early involvement includes training people to prevent issues. Informal audits entail consistent monitoring and checking. Knowledge sharing is the sending of reminders, bulletins, and constant safety notes for people to keep abreast of changes. Self-assessment involves the IT department’s monitoring of the effectiveness of their own practices for safety and security of data. (Davies, Schiller, Wheeler, 2011, p. 9)
Potential conflicts
The potential conflicts that arise from acquiring data on personal technology devices include the possibility of the gadget being stolen and information being leaked. Another conflict is that the information that was once safeguarded with proper protection software can be now accessed by anyone with nothing to masque or hide it. In specific job settings, such as the medical fields, this entails accessing patient information, which is protected by the Health Insurance Portability and Accountability (HIPPAA) Act. A leak of information of this nature exposes personal data, medical information and will hold the organization liable (Davies, Schiller, Wheeler, 2011 p. 40)
Issues with technology used to access data
Another issue, aside from the access and protection of information, is the nature of the items used to access data. The best practice is to conduct auditing of mobile devices and other items used for accessing company data. These include universal serial bus (USB) cables and drives, compact discs (CDs), microchip readers, cellphones, tablets, and laptops. Should any of those items be infected with a malware, spamming, or phishing virus, chances are the hardware will collaterally infect surrounding devices that are wirelessly connected together (Davies, Schiller, Wheeler, 2011 p. 304.)
Issues with users: malware, phishing, and spamming
Many of the issues concerning data accessing are created strictly by users. Some gadget owners may not be familiar with safe internet search practices, or may not care to follow proper internet practices even after being trained to do so. They conduct unsafe internet inquiries, or access untrustworthy websites that may infect their devices with malware. Malware is software that is designed to purposely deactivate, disable and/or damage computer systems. When a computer system is disabled, data could be exposed. Therefore, it is prone to stolen, replicated, spread illegally, or used for other sinister purposes. The power that technology holds over our society is of such magnitude that disabling any component of technology will, undoubtedly, pose inconvenient and serious safety and security repercussions. (ICO, 2017)
Some websites contain “phishing” algorithms, or programs designed to sift out personal information from users, such as bank account and credit card information. For instance, an employee that uses his or her personal device may use the same password for everything, including the keeping of work data. A phishing algorithm can catch up on this practice and steal information from the user. Spamming, another problem that comes up when using the Web, is when a “bot” or program designed to enter people’s computers, starts to bombard computer systems with requests ranging from commercials, to lures for customers to spend money in specific products. Receiving a large number of emails, internet adds, requests for “chats,” or mentions of one same thing or product, is usually a sign of spamming. (Reuters, 2017)
Possible solutions
Since all IT administrators must have a plan in place, the ideal scenario is for all employees to be held accountable for following it. They must sign agreements, commit to follow the company guidelines, and get consequences if the protocols are broken. Ongoing training should be provided to ensure that everyone is informed ahead of using technology to access data. Moreover, monitoring and data access points must be controlled. Only specific personnel with trusted credentials should be the ones trying to extract, add, or take away data in the first place.
A second solution is to limit the type of gadgets allowed for usage. Controlling devices will help limit the chances to expose data to potential malware. It also limits the number of places that store important information. For example, IT may prohibit the use of personal USB flash drives and microchip readers because they are more likely to get lost or misplaced at home. Instead, IT may encourage the use of company flash drives that get stored in-house, which is safer and less risky. (Davies, Schiller, Wheeler, 2017 p. 306)
A third solution is deciding what kind of data will be accessible to others, where will it be stored (secret vs open drive), and how it will be transferred (encryption, password-protected). For example, personal data should be off-limits at all times, so there is no way to provide access to any of that for others. Then, a special drive should be opened where accessible information will be available. This is a drive denominated by the IT department where copies of specific data are posted for others to use. It is a central place for everyone to go to. Then, a system to masque the characters of usernames, passwords, and transferring info should activate when people do request the data that is accessible and save it in their devices. (Davies, Schiller, Wheeler, 2011 p. 308.)
Finally, IT must have a good action plan that follows what to do in the event that someone accidentally deletes data, saves it the wrong way, or alters it. It is up to the department to keep a copy of all files, and to have a specific way to explain users how the data will be used, and to what extend it can be manipulated or changed.
Conclusion
The most important lesson to be learned is that data access is, ultimately, controlled and monitored by human beings. As such, mistakes in the handling, access, storage, and spread of data are very likely to happen. Issues such as malware, phishing, spamming, or even the wrong manipulation of data are entirely possible. These problems are preventable, but everyone who uses technology is equally prone to suffer from them.
For this reason, it is the key responsibility of the IT department to have a strong system of rules and protocols in place in the event that data is used for erroneous reasons and in wrong ways. Consequences must happen to those who tamper with the safety of data. Moreover, there must be control of access as well as control in the way that data is accessed. Limiting devices is one of the key alternatives to avoid further problems.
References
Davies, M., Schiller, C. Wheeler, K. (2011). IT Auditing: Using Controls to Protect Information Assets New York: McGraw Hill. Retrieved from
on December 6, 2017
Information Commissioner’s Office (ICO) Bring Your Own Device (BYOD) Data Act of 1998.
Retrieved from the ICO website on
on December 6, 2017.
Reuters, Thomson Bring Your Own Device (BYOD) Practical Law
Retrieved from the Reuters’ website
on December 6, 2017