Bring your devices, not your problems

Editorial Type: Opinion Date: 09-2019 Views: 1,094 Tags: Security, BYOD, Tablets, GDPR, Encryption, Kingston Technology Europe PDF Version:
When staff bring their own devices into work, security can be greatly compromised. Rob Allen, director of marketing & technical services, Kingston Technology Europe, offers a number of approaches to allay such risks

Flexibility is the ongoing trend of the 21st century working environment. The nine-to-five fixed-desk job is no longer a universal aspect of working lives, partly because modern communications and digital software tools allow teams to work just as closely, if they're geographically separated as if they were in the same room. In many cases, a more relaxed arrangement improves productivity and modern companies manage to thrive with a business model that omits requirements on fixed hours, fixed attire or can even remove the significant expense of fixed office space. With the move away from fixed-desk roles, the fixed-desk office PC no longer has a monopoly on our work output either. Most of us have dozens of devices at home that can tap into company resources with just a few clicks, so it's unsurprising that a common request is to bring your own device (BYOD) to a work environment and continue working when out of the office. This could be a preferred personal laptop, but it extends to carrying company data home on USB flash drives, tablets, wireless devices and cameras.

Although this approach to personal devices may seem harmless, there are problems when it comes to using personal devices for work purposes. Mixing personal devices and company data can have unforeseen consequences and creates multiple risks. If unencrypted devices are lost or stolen, any third party has potential access to confidential company data. Lost data can lead to dire effects on an organisation, affecting its reputation and stability, as well as finances, in a big part due to the EU's GDPR legislation that legally compels firms to safeguard their customers' information. An outright ban on employees working in their preferred manner could be a backwards step, though, discarding many of the productivity benefits of modern flexible working and efficiency.

Fortunately, there are solutions that allow employees to keep workplace data secure and confidential, even if that data is taken out of the security confines of the company network. The answer is encryption. How secure your data is depends on the kind of encryption you use and knowing the differences between them should affect your IT policy. With careful planning and adequate training, you can be sure employees are still able to bring their own devices to work, while sensitive company data remains protected. For example, both Macs and PCs have built-in software encryption that can be used to protect all the data on a device's internal storage. If a thief physically opens the device when it is powered down, they will not be able to remove the storage and read the data from it. But software-based encrypted drives are only as safe as your computer. If the device can be unlocked with a trivial password, the encryption software can be disabled and the data can still be accessed.

At the very least, mandating that employees turn on software encryption, if they use any personal device for work, is a simple, straightforward step that closes a security hole. You can go further with hardware-based encryption. This also applies to USB flash drives. Their small size makes them easily pocketable and they can be plugged into almost any computing device in existence. With capacities up to 2TB, they're the most efficient way to transfer data between locations, and can be used both for data transport and backup. But that portability makes them very easy to lose, leading to the risk of critical and sensitive data landing in the wrong hands.

Hardware-based encryption built into external USB devices mitigates this risk. The top-of-the-line Advanced Encryption Standard (AES) 256-bit used in high-end encrypted USB drives is secure enough to be FIPS certified. This means anyone who finds such a drive is very unlikely to access the information. These drives come in a variety of types, but generally require a complex password with 3 of 4-character sets and a minimum length to make it that much harder to guess a password. The slight extra investment for these hardware-encrypted USB drives is considerably less than the potential fines of a GDPR breach or the incalculable reputational damage that comes from a data breach.

Similarly, hardware-encrypted SSDs provide end-to-end data protection. Used either as an upgrade for a company computer, employee's personal devices or as an external device with an adapter, an external SSD gives you certified hardware-based security, with far greater performance than a USB flash drive. Agreeing to employee requests to use their own devices for work purposes may seem like an inexpensive and simple way to create a relaxed working environment; but, without taking a few precautions, the potential risks to company data security could prove costly and complicated.