Half of firms with BYOD policies have suffered a security breach, Dell claims

Out-Law News | 20 Mar 2013 | 12:24 pm | 3 min. read

Half of Dell's customers that allow their employees to use their own technology for work purposes have suffered a security breach, the IT company has told an online magazine.

Margaret Franco, executive director of End User Computing with the firm, told V3 that the figures showed that businesses should ensure that any bring your own device (BYOD) policy met the needs of the firm without overlooking essential data security needs.

"We would not advise customers to simply let users bring in any device at all," she told the publication. "In fact, what we've found is that customers that have allowed a BYOD policy, that have allowed end users to bring in anything that they want, 50% of those companies experienced a security breach."

"Our approach is to start with an assessment of what [the customer] wants, profiling the users and looking at the right applications for those users, and only then considering what the right kind of device is. [Companies] have two choices. They can put in place policies and [mobile data management] solutions in order to react to these trends, or they can really put together a strategy for end user computing that enables them to pro-actively address them," she said.

Franco's comments echo warnings given by data security and employment law experts at Pinsent Masons, the law firm behind Out-Law.com, in relation to the growing demand by employees to be allowed to use their own mobile devices for work purposes. Earlier this month, Pinsent Masons' experts warned that businesses should develop a comprehensive BYOD policy and avoid "drifting" into permitting staff to use their own devices.

At the beginning of March, UK data protection watchdog the Information Commissioner's Office (ICO) published new guidance for employers on BYOD (14-page / 325KB PDF). The ICO stressed that organisations should remember that they are duty-bound to look after the personal data they are responsible for under data protection laws "regardless of the ownership of the device used to carry out the processing". Companies must ensure that devices used for work purposes are password-protected, and that data is encrypted when being transferred as well as being stored, the ICO said.

IT contracts and technology law specialist David Isaac of Pinsent Masons warned previously about the additional 'hidden risks' of the growing popularity of BYOD.

"The headlines seem to focus on data security, intellectual property ownership and privacy whenever the issue of BYOD adoption is raised," he told Out-Law.com in January. "But for businesses, an equally important concern may be to identify any hidden risks which may result from placing the capital cost of the device and ongoing data plan charges on employees, including reputational ones."

"BYOD also creates added complexity for IT support service providers as they must factor into their service propositions both devices they are not familiar with and locations they have not agreed to," he said.

The Guardian reported yesterday that the UK Government had rejected new software designed by Canadian mobile firm BlackBerry as "not secure enough for essential work". The newspaper said that both new BlackBerry operating system BB10 and BlackBerry Balance, a new feature which is intended to allow users to separate work and personal accounts on the same device and prevent any copying of data between them, had failed security tests by the UK's Communications-Electronics Security Group (CESG).

BlackBerry's previous operating system, version 7.1, was cleared by the CESG in December 2012 for classifications up to 'Restricted', which is the fourth level of protection recommended for government communications. The CESG is the UK Government's national information security arm.

In a statement, the company acknowledged that there had been a delay CESG's approval of BlackBerry 10, but added that it was "continuing to work closely" with the Government. It added that the US Government, the German Procurement Office and Federal Office for Information Security had already backed the software.

"We have a long-established relationship with CESG and we remain the only mobile solution approved for use at 'Restricted' when configured in accordance with CESG guidelines," BlackBerry said. "This level of approval only comes following a process which is rigorous and absolutely necessary given the highly confidential nature of the communications being transmitted."

"We are continuing to work closely with CESG on the approval of BlackBerry 10 and we're confident that BlackBerry 10 will only strengthen our position as the mobile solution of choice for the UK government," it said.