Risks Associated with BYOD

A "bring your own device (BYOD)" policy is when an organization allows employees to use their own devices on the company network. While this can save the organization money and allow for more employee freedom, there are security risks associated with it. This article explains the principles of BYOD, some benefits of BYOD for an organization, and the many ways that BYOD can increase the risk to a company's data and information systems.

Research methodology

As mentioned earlier, the aim of this research is to identify key internal controls and safeguards which an organisation can deploy by using the COBIT 5 framework as a basis to reduce the IT strategic and operational risks identified relating to BYOD to an acceptable level. The study is non-empirical in nature and the results drawn are from an extensive literature review that was performed on BYOD and the COBIT 5 framework. The following factors were considered whilst conducting the literature review:

  • risks and concerns related to BYOD programmes;
  • compliance and legal considerations which arise as a result of BYOD;
  • the behaviour of employees whilst using their own devices;
  • implications of mobile devices being stolen or lost; and
  • the control frameworks (including COBIT 5 framework).

In order to add scientific rigour to the literature review, a four-stage approach as suggested by Sylvester, Tate, and Johnstone (2011) was followed. A wide range of articles and readings were selected at the beginning stages to enable a comprehensive understanding of the literature, and the selection was narrowed to more specific areas at a later stage in order to understand the concepts underlying BYOD, its underlying technologies, and to elaborate on the impact of BYOD on institutions locally and internationally. It will also be necessary in researching IT governance frameworks in order to select the most appropriate framework to be used as a benchmark. Following the literature review, the incremental IT strategic and operational risks were summarised in tabular format.

A control framework was used to identify controls because it provides structure to controls and ensures all applicable controls are identified. A control framework is a data structure that organises and categorises an organisation’s internal controls, which are practices and procedures established to create business value and minimise risk. Some notable IT frameworks include Prince 2, Information Technology Infrastructure Library (ITIL), and COBIT 5. COBIT 5 was selected as the framework to identify appropriate safeguards to mitigate the risks. COBIT 5 is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. It provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Stroud (2012) stated in a webinar conducted by ISACA that COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. The framework addresses both business and IT functional areas across an enterprise and considers the IT-related interests of internal and external stakeholders.

The processes underlying COBIT 5 were analysed (in the context of the literature review about BYOD performed) to determine which processes would be applicable to managing BYOD risks. The importance of each process was determined. Each applicable process was used to formulate appropriate controls that address the specific risk. COBIT 5 focuses on the following areas: governance and management. These two areas are divided into five domains. The evaluate, direct and monitor (EDM) domain addresses governance issues and provides organisations with guidance on how they should govern and manage their IT-enabled business investments. The management area contains four domains, which include the following:

  • Align, plan and organise (APO): this provides guidance for planning and organising acquisitions which are made by the organisation.
  • Build, acquire and implement (BAI): this provides guidance on the processes required to acquire and implement IT solutions.
  • Deliver, service and support (DSS): this provides guidance for servicing and supporting IT solutions.
  • Monitor, evaluate and assess (MEA): this provides directors with guidance on how they can monitor and evaluate the acquisition process and the internal controls which have been implemented. This will help ensure that acquisitions are properly managed and executed.

In order for an organisation to reduce identified risks to an acceptable level, it needs to implement internal controls.