Risks Associated with BYOD
Literature review and findings
Identification of applicable COBIT 5 processes which affect Bring Your Own Device programmes
Organisations can customise COBIT 5 to suit their own context. Table 2 lists the processes that are directly applicable to an organisation that has deployed a BYOD programme. It highlights the 37 COBIT 5 processes that are applicable to BYOD. The description column gives a detailed listing of what each process means. The definitions of the processes were obtained from COBIT 5 Enabler processing guide. A brief explanation as to why a process was considered applicable or why in certain instances a certain process was not applicable for the purpose of this research has been included in the table under the column 'Explanation'.
| TABLE 2: COBIT process selection. |
TABLE 2: COBIT process selection.
|
Processes |
Relevant to BYOD |
Applicable to research |
Explanation |
|
|
Evaluate, direct and monitor |
||||
|
EDM01 |
Ensure governance framework setting and maintenance |
Yes |
Yes |
It is important that the organisation adopts a BYOD programme if it assists the organisation in achieving its business imperatives. Once it has been determined that BYOD will add value to the organisation, it is important that proper structures, processes and practices are put in place in order to ensure that the business imperatives are met and that any risks associated with deploying a BYOD programme are reduced to an acceptable level. |
|
EDM02 |
Ensure benefits delivery |
No |
No |
The employee is primarily responsible for investment in the mobile device which is used to access personal and corporate information. |
|
EDM03 |
Ensure risk optimisation |
Yes |
Yes |
Prior to deciding to launch a BYOD programme, it is important that those charged with governance at the organisation first identify the entity-specific risks that they will be exposed to as a result of adopting the BYOD programme and they should determine to what extent they would like to be protected from these risks as this will assist them in determining what controls they should be implementing. |
|
EDM04 |
Ensure resource optimisation |
Yes |
Yes |
In order to successfully run a BYOD programme, the organisation needs to ensure the IT department has the necessary knowledge, skills and time available to properly manage and support the BYOD programme. |
|
EDM05 |
Ensure stakeholder transparency |
No |
No |
It is not necessary to report to the outside stakeholders on the successful adoption or running of the BYOD programme. |
|
Align, plan and organise |
||||
|
APOOl |
Manage the IT management framework |
Yes |
Yes |
The adoption of a BYOD programme and the running thereof should be to support the overall governance objectives of the organisation. |
|
APO02 |
Manage Strategy |
Yes |
No |
The BYOD programme would be a current initiative which the organisation has adopted. Whilst it may be a current business strategy of the organisation, it was not included as part of the focus of this research. |
|
APO03 |
Manage enterprise architecture |
Yes |
No |
Whilst having proper architectures in place to govern the BYOD programme adopted by an organisation is important, it was not included as part of the focus of this research. |
|
APO04 |
Manage innovation |
Yes |
Yes |
BYOD is an innovative business trend. There are lots of benefits which the organisation can obtain through the successful implementation of a BYOD programme. |
|
APO05 |
Manage portfolio |
No |
No |
Whilst BYOD may form part of the overall investment or related portfolios of the organisation, it was assumed that the BYOD programme was a priority for the purpose of this research and hence no adjustments needed to be made. |
|
APO06 |
Manage budget and costs |
Yes |
Yes |
The organisation needs to identify that there is a financial benefit which they can derive before adopting a BYOD programme. Whilst this is important, it was not included as part of the focus of this research. |
|
APO07 |
Manage human resources |
No |
No |
BYOD should not directly impact the management of human resources at the organisation. Whilst the skill and ability of the IT department need to be considered when adopting a BYOD programme, it was not included as part of the focus of this research. |
|
APO08 |
Manage relationships |
Yes |
No |
Whilst the relationship between those employed in the operational side of the organisation and the IT side of the organisation is important, the quality of their relationship was not included as part of the focus of this research. |
|
APO09 |
Manage service agreements |
Yes |
No |
It is important that the organisation first identifies its business imperatives. If it was concluded that the adoption of the BYOD programme would assist in the achieving of the organisation's business imperatives, then the BYOD programme should be adopted. The consideration of whether or not a BYOD programme would assist the organisations in achieving their business imperatives was not included as part of the focus of this research. |
|
APOIO |
Manage suppliers |
No |
No |
The adoption of a BYOD programme does not involve the supply of any goods or services by outside suppliers directly to the organisation. The employee deals with the supplier of the mobile device. |
|
APOll |
Manage quality |
Yes |
No |
Defining the communication of quality requirements in all processes and procedures is of key importance for every organisation. The defining and communication of BYOD processes was however not included as part of the focus of this research. |
|
AP012 |
Manage risk |
Yes |
Yes |
It should be a priority for the organisation to continually identify, assess and reduce the risks that arise as a result of the adoption of a BYOD programme. Failure to do so could have adverse consequences on the organisation. |
|
AP013 |
Manage security |
Yes |
Yes |
Security of the corporate information should be a priority at all times. The safety of information is definitely a concern in a BYOD as a result of cyber theft. |
|
Build, acquire and implement |
||||
|
BAI01 |
Manage programmes and projects |
Yes |
No |
The BYOD programme needs to be managed as one of the organisation's programmes. The management aspect of a BYOD programme was however not included as part of the focus of this research. |
|
BAI02 |
Manage requirements definition |
Yes |
No |
It is essential that the organisation first conducts a detailed analysis as to whether or not a BYOD programme will assist it in the achievement of its business imperatives. The pre-adoption analysis of a BYOD programme and the feasibility thereof was however not considered as part of this research. |
|
BAI03 |
Manage solutions identification and build |
Yes |
No |
The deployment of a BYOD programme may be one of the solutions which an organisation could employ in order to achieve its business imperatives. This was however not considered as part of this research. |
|
BAI04 |
Manage availability and capacity |
Yes |
No |
The availability of enough skilled IT staff to support a BYOD programme may be something that an organisation should be interested in. It was however not considered as part of this research. |
|
BAI05 |
Manage organisational change enablement |
Yes |
No |
The adoption of a BYOD programme for the very first time by an organisation will definitely affect all the stakeholders in the organisation. The first time adoption of a BYOD programme at an organisation was however not considered as part of this research. |
|
BAI06 |
Manage changes |
Yes |
No |
The initial adoption of a BYOD programme by an organisation will definitely require significant attention. It would be a change from the normal way of accessing and processing sensitive corporate information. The initial adoption of a BYOD programme at an organisation was however not considered as part of this research. |
|
BAI07 |
Manage change acceptance and transitioning |
Yes |
No |
The initial period from pre-adoption to initial adoption of the BYOD programme needs to be planned successfully to ensure that all significant risks have been identified and that sensitive corporate data are safeguarded at all times. The initial adoption of a BYOD programme in an organisation was however not considered as part of this research. |
|
BAI08 |
Manage knowledge |
Yes |
No |
It is important that the IT department has the relevant skills in order to manage and support a BYOD programme. The maintenance of knowledge to be able to do so successfully was however not considered as part of this research. |
|
BAI09 |
Manage assets |
Yes |
Yes |
The organisation does not own the mobile devices being used to access the organisation's sensitive information. The IT department however should be in a position where they are able to assist the users of the mobile devices with certain technical issues that arise with the devices. It is also extremely important that software licenses of these devices are understood as the organisation may be in breach if the employee uses software on the mobile device for business purposes when in fact it is a personal use software license which the employee possesses. |
|
BAI10 |
Manage configuration |
Yes |
No |
It is extremely important that the configurations of all devices connecting to the organisation's network are defined and maintained. This is applicable in a BYOD environment as devices will be connecting to the organisation's network. Defining and maintaining descriptions and relationships of resources and capabilities required by IT-enabled services was however not considered as part of this research. |
Table 2 continues on the next page
TABLE 2 (Continues...): COBIT process selection.
BYOD, Bring Your Own Device; IT, information technology; MEA, Monitor, evaluate and assess; DSS, Deliver, service and support; BAI, Build, acquire and implement; APO, Align, plan and organise; EDM, Evaluate, direct and monitor.
| TABLE 2 (Continues...): COBIT process selection. |
|
Processes |
Relevant to BYOD |
Applicable to research |
Explanation |
|
|
Deliver, service and support |
||||
|
DSS01 |
Manage operations |
Yes |
Yes |
The execution of IT procedures effectively in managing and securing mobile devices is essential to ensure the safeguarding of sensitive corporate information. |
|
DSS02 |
Manage service |
Yes |
Yes |
The IT department should be in a position to assist the mobile device user with support with troubleshooting |
|
|
requests and incidents |
|
|
required by the user, which will enable them the ability to access and process work-related activities on their |
|
DSS03 |
Manage problems |
Yes |
Yes |
mobile devices. |
|
DSS04 |
Manage continuity |
Yes |
No |
It is important that the organisation has a plan in place for incidents such as mobile device or Wi-Fi downtime as this will disrupt the organisation's ability to function properly. The establishment and maintenance of a plan of this nature was however not considered as part of the research conducted. |
|
DSS05 |
Manage security |
Yes |
Yes |
It is essential that the organisation conducts a proper risk analysis (which will include security-related risks) in |
|
|
services |
|
|
relation to the adoption of a BYOD programme. |
|
DSS06 |
Manage business |
Yes |
Yes |
Once the risk analysis has been conducted, it is important that the organisation identifies suitable controls |
|
|
process controls |
|
|
which will reduce the risks to an acceptable level. |
|
Monitor, evaluate and assess |
||||
|
MEA01 |
Monitor, evaluate and |
Yes |
No |
It is essential that the success of the BYOD programme, control environment and the controls affecting the |
|
|
assess performance and |
|
|
BYOD programme should be monitored on a regular basis. Failure to do so could result in the organisation |
|
|
conformance |
|
|
suffering major losses (e.g. data theft). The monitoring of the success of the BYOD programme and controls |
|
MEA02 |
Monitor, evaluate and assess the system of internal control |
Yes |
No |
affecting the BYOD programme was however not considered as part of this research. |
|
MEA03 |
Monitor, evaluate and |
Yes |
Yes |
It is essential that the organisation evaluates whether or not it is complying with the rules and regulations |
|
|
assess compliance with |
|
|
affecting the organisation. This is especially true in a BYOD environment where different industries and different |
|
|
external requirements |
|
|
geographical regions have different rules and regulations which govern them. The organisation should map the risks and controls identified to reduce the risks to an acceptable level. |
Figure 1 maps the COBIT 5 processes, which have been identified as being relevant for the purposes of this research, to the risks identified in Table 1. Using these processes to identify possible safeguards, the organisation can reduce the risks to an acceptable level. Many organisations that employ BYOD programmes do not know the number nor do they know which devices are connected to their networks, and many do not have controls in place to mitigate the risks. At governance level, management should identify and take ownership of the risks associated with BYOD. This begins by developing a BYOD strategy as part of its business model, which addresses the challenges related to BYOD; mobile device management and mobile security and access control. A policy should be developed detailing accepted usage of mobile devices, acceptable user behaviour and governing the use of corporate and other third-party applications. Information technology departments should have a clear project plan and should work with end users to implement BYOD. A compliance officer should monitor compliance with the plan and policy as well as regulatory requirements affecting data security, which will improve logging, monitoring and follow-up of access to the enterprise’s information systems and data.
|
FIGURE 1: Mapping risks to possible safeguards. |
|||||||||||||||
|
Number |
Summarised risk identified |
EDM01 |
EDM03 |
EDM04 |
APO01 |
APO12 |
APO13 |
BAI09 |
DSS01 |
DSS02 |
DSS03 |
DSS05 |
DSS06 |
MEA03 |
Possible safeguard |
|
1.1 |
Deployment of malware into Organisation's system. |
|
|
|
|
|
|
1.1.1 The organisation should have a policy stating that mobile device users are only able to connect to the network if they have installed anti-malware software. |
|||||||
|
|
|
|
|
|
|
1.1.2 The anti-malware software should be updated on a regular basis. |
|||||||||
|
1.2 |
Malicious software targets smartphones and tablets. |
|
|
|
|
|
|
1.2.1 Employees should be educated about what impact malware could have on the organisation's sensitive data as well as the manner in which malware infiltrates the device. |
|||||||
|
|
|
|
|
|
|
[Refer to 1.1.1 and 1.1.2]. |
|||||||||
|
1.3 |
Hackers' ability to control computer systems. |
|
|
|
|
|
|
1.3.1 The organisation should encrypt their data. |
|||||||
|
|
|
|
|
|
|
1.3.2 The organisation should have strong authentication methods in place to access the network. An example of this will include the use of tokens. |
|||||||||
|
|
|
|
|
|
|
1.3.3 Unauthorised devices which have been detected by the network access control software should block these devices immediately. |
|||||||||
|
1.4 |
Data stolen or damaged. |
|
|
|
|
|
|
[Refer to 1.3.1 and 1.3.2]. |
|||||||
|
1.5 |
Device disabled. |
|
|
|
|
|
|
[Refer to 1.1.1 and 1.1.2]. |
|||||||
|
1.6 |
Use of unapproved applications |
|
|
|
|
|
|
1.6.1 The organisation needs to have a policy stating which applications employees are permitted to download onto their devices. The policy should be updated on a regular basis to take into account the new malicious applications that have been brought to the attention of the |
|||||||
|
|
|
|
|
|
|
1.6.2 The organisation could have a policy where they do spot-checks on the mobile devices used by their employees. Where unapproved applications have been identified, the owner of the device should be requested to delete the application immediately. |
|||||||||
|
2.1 |
Data leakage is a greater problem than malware. |
|
|
|
|
|
|
2.1.1 Employees should be educated about the impact that data leakage could have on the organisation and how it occurs. |
|||||||
|
Figure 1 continues on the next page -> |
|||||||||||||||
| FIGURE 1 (Continues...): Mapping risks+P17+A19:P28+A19:P29+A19:P31+A19:P33 | |||||||||||||||
| Number | Summarised risk identified | EDM01 | EDM03 | EDM04 | APO01 | APO12 | APO13 | BAI09 | DSS01 | DSS02 | DSS03 | DSS05 | DSS06 | MEA03 | Possible safeguard |
| 2.2 | Employees sync mobile device with infected home computer. | 2.2.1 Employees should be educated about the risks involved with syncing their mobile device with their home computer. | |||||||||||||
| 2.2.2 The employee should be advised to run their antivirus software on a regular basis. | |||||||||||||||
| 2.3 | Unpatched vulnerabilities on home computer grant cybercriminals access to sensitive data. | 2.3.1 The organisation should invest in on-device containerisation technology. | |||||||||||||
| 2.3.2 The organisation should consider making use of a virtual desktop environment. | |||||||||||||||
| [Refer to 1.3.1]. | |||||||||||||||
| 2.4 | Loss of control over data stored in the Cloud. | 2.4.1 The organisation should provide employees with a convenient method of securely sharing documents and collaborating on mobile devices. | |||||||||||||
| 2.5 | Unauthorised access to sensitive data. | 2.5.1 Employees should be educated about the risks involved with storing confidential data in the Cloud. | |||||||||||||
| [Refer to 1.3.1]. | |||||||||||||||
| 2.6 | Potential outflow of finances as a result of data breach. | 2.6.1 The organisation should have sufficient insurance to cover any financial outflows that arise as a result of data breach. | |||||||||||||
| 3.1 | Lost mobile devices create a security threat. | 3.1.1 The organisation can use remote wiping facilities to delete all organisation-related information that is stored on the device. | |||||||||||||
| [Refer to 1.3.1]. | |||||||||||||||
| 3.2 | Criminals may gain access to confidential information. | [Refer to 1.3.1 and 3.1.1]. | |||||||||||||
| 3.3 | Information may not be password protected. | 3.3.1 Employees should be educated about the advantages and disadvantages of not having a secure password on their mobile device. | |||||||||||||
| [Refer to 1.6.2]. | |||||||||||||||
| 3.4 | Data may not be encrypted. | 3.4.1 The organisation should have a policy that all data transmitted to employee's mobile devices should be encrypted at all times. | |||||||||||||
| 3.5 | Mobile devices are easily stolen as a result of size. | 3.5.1 Employees should be encouraged to be mindful of the whereabouts of the mobile devices at all times. | |||||||||||||
| 3.5.2 Mobile device tracking facilities could be used to locate the mobile device. | |||||||||||||||
| [Refer to 3.1.1]. | |||||||||||||||
| 3.6 | Data on mobile device which has been lost or stolen may be compromised. | [Refer to 1.3.1]. | |||||||||||||
| 3.7 | Lost or stolen mobile devices may have personally identifying and confidential client information. | 3.7.1 The organisation should have sufficient insurance to cover possible lawsuits as a result of confidential information relating to their clients being revealed. [Refer to 1.3.1 and 3.1.1]. | |||||||||||||
| 3.8 | Organisation cannot remotely wipe lost mobile device. | 3.8.1 The organisation should invest in software that will enable it to remotely wipe sensitive data off an employee's mobile device which has been lost or stolen. | |||||||||||||
| [Refer to 1.3.1]. | |||||||||||||||
| 3.9 | Employees do not know what to do when their device is lost or stolen. | 3.9.1 The organisation should have a policy informing employees what they need to do in the event that their mobile device is lost or stolen. | |||||||||||||
| 4.1 | Bluetooth device may be discoverable. | 4.1.1 Employees should be educated about the risks involved with leaving their mobile devices on discoverable mode. | |||||||||||||
| Figure 1 continues on the next page -> | |||||||||||||||
| FIGURE 1 (Continues...): Mapping risks to possible safeguards. | |||||||||||||||
| Number | Summarised risk identified | EDM01 | EDM03 | EDM04 | APO01 | APO12 | APO13 | BAI09 | DSS01 | DSS02 | DSS03 | DSS05 | DSS06 | MEA03 | Possible safeguard |
| 4.2 | Unauthorised data downloads. | 4.2.1 The organisation should make use of network access control technology. Any unauthenticated device should be immediately blocked. | |||||||||||||
| 4.2.2 Employees should be educated about the risks involved with leaving their mobile devices on discoverable mode as well as the risks involved with tethering. | |||||||||||||||
| [Refer to 1.3.1). | |||||||||||||||
| 4.3 | Non-authenticated devices connecting to network. | [Refer to 4.2.1). | |||||||||||||
| 4.4 | Bluetooth and Wi-Fi technology are easily infected. | 4.4.1 Anti-malware software should be loaded onto the mobile devices. | |||||||||||||
| [Refer to 4.2.1). | |||||||||||||||
| 4.5 | Data transmitted may be compromised. | [Refer to 1.3.1). | |||||||||||||
| 5.1 | Applications downloaded may steal or damage data. | 5.1.1 Employees should be educated about the risks involved with downloading applications onto their mobile devices. | |||||||||||||
| [Refer to 1.3.1). | |||||||||||||||
| 5.2 | Unapproved applications may be stored on mobile devices. | 5.2.1 The organisation should have a policy indicating which applications employees are permitted to download onto their devices. | |||||||||||||
| 5.3 | Unapproved applications may not be easily detectable. | [Refer to 1.6.2). | |||||||||||||
| 5.4 | Employees unaware of risky apps. | 5.4.1 The organisation should have a policy where the IT department sends out regular email communication to employees about which popular applications are risky as well as what the potential consequences are if they download one of these applications. | |||||||||||||
| 6.1 | Organisations may not be complying with laws and regulations. | 6.1.1 The organisation should have a compliance officer who identifies which laws and regulations affect the organisation. | |||||||||||||
| 6.2 | Organisations may be unaware of specific geographical laws and regulations. | [Refer to 6.1.1). | |||||||||||||
| 6.3 | Communication laws may be violated. | 6.3.1 The organisation should inform their employees which laws and regulations affect the organisation (including communication laws). | |||||||||||||
| 6.4 | Organisations may not be able to ensure compliance on employee- owned devices. | 6.4.1 The organisation could have the employees sign a contract indicating that if they intentionally violate a law or regulation of which they should have been knowledgeable, then they take personal responsibility for the non-compliance. | |||||||||||||
| [Refer to 6.1.1). | |||||||||||||||
| 6.5 | Personal use software may be used for business purposes. | 6.5.1 Employees should be informed that they should inspect the software license on their device to identify whether or not it is personal use software prior to using the software for business purposes. | |||||||||||||
| 6.5.2 The organisation could have a policy where an employee needs to get the mobile device pre-approved prior to being allowed to use it to access the organisation's sensitive data. Software licenses could be checked by the IT department at this point in time. | |||||||||||||||
| Figure 1 continues on the next page | |||||||||||||||
| FIGURE 1 (Continues...): Mapping risks to possible safeguards. | |||||||||||||||
| Number | Summarised risk identified | EDM01 | EDM03 | EDM04 | APO01 | APO12 | APO13 | BAI09 | DSS01 | DSS02 | DSS03 | DSS05 | DSS06 | MEA03 | Possible safeguard |
| 6.6 | Organisations may be liable for additional costs where software licenses have been breached. | 6.6.1 The organisation should have sufficient insurance to cover itself in the event that it is found to have breached a software licensing agreement. | |||||||||||||
| [Refer to 6.5.2], | |||||||||||||||
| 7.1 | IT may not be able to manage all mobile devices. | 7.1.1 The organisation may establish user self-support and third-party support options. | |||||||||||||
| 7.1.2 The organisation may re-train existing service desk staff and augment the mobile support team as needed. | |||||||||||||||
| 7.1.3 The organisation may make use of internal wikis, user forums, email distribution lists, enterprise social networking and other collaboration tools for user self-support. | |||||||||||||||
| 7.2 | IT may not be able to secure all mobile devices. | 7.2.1 The organisation should implement a mobile device management system to reduce the risks associated with not being able to secure all mobile devices. | |||||||||||||
| 7.3 | IT may not be able to successfully implement mobile security. | 7.3.1 The organisation may make use of a network access controls system to reduce the risk of unauthorised devices connecting to the network. | |||||||||||||
| [Refer to 7.2.1], | |||||||||||||||
| 7.4 | Employees may select a device without considering IT support. | 7.4.1 The organisation could have a policy indicating which mobile devices they will support. | |||||||||||||
| 7.5 | Employee mobile devices may not be configured or locked down. | 7.5.1 The organisation should implement a mobile device management system to ensure that all mobile devices have been configured correctly. | |||||||||||||
| 7.6 | IT may not pre-approve all mobile devices. | 7.6.1 The organisation should have a policy whereby it only permits pre-approved mobile devices to connect to the organisation's network. | |||||||||||||
| 7.7 | IT may not be able to provide same level of support to all mobile devices. | [Refer to 7.1.1, 7.1.2 and 7.1.3], | |||||||||||||
| 7.8 | The organisation may have open ports for employee- owned devices. | 7.8.1 The organisation should not have open ports. Employees should use some form of login password to gain access to the network. | |||||||||||||
| 8.1 | Mobile device life cycle may shorten. | 8.1.1 Employees should be encouraged to keep their mobile phones for the duration of their mobile phone contracts. | |||||||||||||
| [Refer to 7.1.2], | |||||||||||||||
| 8.2 | Mobile devices may have planned obsolescence built into them. | [Refer to 8.1.1], | |||||||||||||
| Note: The shaded areas indicate that the process is mapped to the risk identified. | |||||||||||||||
| IT, information technology; MEA, Monitor, evaluate and assess; DSS, Deliver, service and support; BAI, Build, acquire and implement; APO, Align, plan and organise; EDM, Evaluate, direct and monitor. | |||||||||||||||
Users should be educated on BYOD, its associated risks and accepted usage policies. Support services should also be made available. The IT departments should focus on access security and data protection by doing the following:
- adopting a multi-layered approach to security and authentication where both users and devices are encrypted and authenticated
- implementing mobile device management, preventing access to malware and encrypting important information and removing rogue mobile applications
- protecting data at the data file level to prevent unauthorised access to data files, as well as unauthorised moving, copying and/or editing of data files. This must include a containment and remote delete function.