GDPR and Cyber Security: Bring Your Own Device
Separating roles in bring your own device (BYOD) environments
(This article was written in collaboration with Piers Clayden of ClaydenLaw.)
What if voluntary organisations can’t segregate their IT use... because the volunteers own all the equipment?
Segregation is a cyber security ideal – if only one organisation is using a network, piece of equipment or piece of software then that organisation finds it easier to manage their cyber security risk.
It’s a model that’s being undermined by Bring Your Own Device (BYOD) policies, but the small organisations and charities we’re talking about here are the ultimate in BYOD. They have no office at their core, each trustee works within their own IT literacy, on the equipment they have to hand, policies and procedures change with the volunteers, and there’s no formal onboarding or offboarding processes. It's this type of organisation that's been at the core of my research since 2013.
Like so many other small types of organisations, it simply doesn’t make sense to buy IT equipment. Where a large businesses evaluate the efficiency of cloud services to avoid maintaining redundant servers, these small organisations do the same – there’s no need to buy more hardware when their volunteers or employees are willing to donate their surplus gigabytes and have the luxury of working with a familiar device.
What do they need to know about cyber security?
When all we’re talking about is laptops, PCs and phones, the cyber security measures are the same whether they belong to the individual or the organisation. The Cyber Essentials guidelines explain what types of technical measures they can add to their equipment for free. The biggest change is the size of the risk. That requires a human security measure – a better understanding of cyber security threats and how to avoid common mistakes (for example this advice from CPNI). Then it’s possible to carry on volunteering IT equipment as well as time.
The one exception is when business-owned devices are being used as BYOD for other organisations. If a volunteer has stored another organisation’s personal data on their employers’ system it’s that business’ right to choose whether accepting this risk and becoming a data processor is a donation they’re willing to make to the charity, non-profit or private club in question... and the volunteer should be thinking up a contingency plan because most will say 'no'.
What does Piers have to say about data protection in BYOD situations?
“GDPR requires organisations to take appropriate technical and organisational measures to ensure that personal data is kept secure. The problem for charities etc. whose staff and volunteers use their own devices is that being able to show that you have taken such appropriate measures is always going to be difficult, especially in the absence of an approved, monitored and enforced BYOD policy (which the staff have received training on).
“Further, how would the charity remediate a security breach when the breach involves a volunteer’s laptop stolen out of a car? What security measures where in place on the laptop, what personal data is now at risk? These are difficult questions to answer at the best of times (especially when the clock is ticking to inform the ICO of the breach) but even more so when there is a relatively relaxed BYOD usage.”
Choosing what to do can be challenging and organisations if this size are unlikely to have IT budgets that match the risk of losing the data.
For the more tech-savvy micro organisations solutions such as mobile-device-management (MDM) might be an option, but realistically the sheer variety of devices and software employed by BYOD users, not to mention the level of configuration and documentation required for MDM implementation, makes this unappealing to many micro businesses.
In all instances the place to start is by understanding what each volunteer or employee is doing on their device. Once you've got a better picture you could get someone to talk them through adding free security measures, work out what really ought to be encrypted, or train them so that they're more able to avoid mistakes. Supporting volunteers, so that they generally become more secure, is likely to be more effective than introducing more invasive policies.