Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

BYOD Security: Risks and Mitigation

Verified

Added on 2020/04/01

AI Summary

The provided document delves into the topic of Bring Your Own Device (BYOD) and its implications for information security. It examines various risks associated with BYOD implementations, such as data breaches and unauthorized access. Furthermore, it discusses strategies and best practices for organizations to mitigate these risks and ensure a secure BYOD environment. The document draws upon academic research and industry insights to provide a comprehensive analysis of BYOD security challenges.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running Head: “BRING YOUR OWN DEVICE” PROJECT 1
Title: “Bring your Own Device” Project
Name:
Institution:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

“BRING YOUR OWN DEVICE” PROJECT 2
Contents
Executive summary....................................................................................................................3
Review of project.......................................................................................................................5
Project impact on Aztec security posture...................................................................................6
Risk assessment – threats, vulnerabilities and consequences....................................................9
Threats....................................................................................................................................9
Vulnerabilities......................................................................................................................10
Consequences.......................................................................................................................12
Existing recommendations...................................................................................................12
Risks for Data security.............................................................................................................12
References................................................................................................................................14

“BRING YOUR OWN DEVICE” PROJECT 3
Executive summary
Professionally run organizations consistently carry out risk assessments on their
business operations so that they can identify and deal with threats to their business. Beyond
undertaking risk assessment and management as a mere good corporate governance measure,
there is the more important need to identify the potential risks that a business faces, and its
capacity to respond to them in case they do occur. Businesses also need to properly map out
the risk areas in their businesses, so that they can adopt appropriate strategies to deal with
these risks while dedicating the required resources for this task.
Risk emanates from the unauthorized access or utilisation of information which is
transacted or stored using technological tools such as phones and computers. Organizations
constantly worry about being victims of hacking schemes perpetrated by cyber criminals. For
this, they come up with complex security systems that try their best to keep up with
developments in cybercrime. The risk does not always emanate from the outside, however.
Internally, employees may be guilty of acts of omission or commission which expose their
organizations to risk. This may include negligently or maliciously disclosing confidential
information, or failing to secure the information in their care appropriately, causing it to fall
into the wrong hands.
Risk assessments encompass several factors involved in the IT framework. The
factors include the people who use the system, including the users, administrators and
managers, as well as the hardware used. Networks used to pass information, and software
which runs the hardware is also important factors, as is the overall system governance that the
company has adopted.
A vast majority of Australians have cell phones, which they carry to work. A
significant number of these phones are Smartphones, which are able to perform several roles
akin to those of a computer. At the same time, a big number of Australians own laptops,
tablets and other gadgets which can be used for communication, in addition to performing

“BRING YOUR OWN DEVICE” PROJECT 4
many tasks at the workplace. A company may be tempted to allow employees to bring in
their devices and use them to work, for several reasons. First, this saves the company cost.
Instead of having to acquire the said gadgets, the company can easily utilize what the
employees already have, and only engage in routine maintenance and monitoring.
A second reason for allowing this is to enable connectivity between employees if it is
an important part of the work that they do, and where the same connectivity cannot easily be
provided by the company’s assets. The employees may in such circumstances be more
productive using their own devices, as opposed to having company – provided infrastructure.
This decision may, however, be laden with several risks, that at times force companies
just to opt to equip their employees with company assets, which can easily be maintained and
monitored, in addition to providing for uniformity.
Review of project
The project to allow employees use their devices to work has several merits and
challenges, as described before. The benefits mainly refer to the increased connectivity and
ease of work, which may improve morale and productivity in some instances. On the other
hand, unwanted access to information, irregular use of company resources and difficulty in
monitoring activity are some of the challenges. According to Derks and Bakker (2010), the
organization must be in well understanding of its priorities. Only then will it be able to make
the right decision about allowing the use.
Technology has dramatically changed the way businesses conduct their affairs, mostly
making communication faster and easier. It has also provided companies with powerful tools
to communicate with their customer's conduct market research and facilitate intra-
organizational transactions. The development of information technology has not been without
its own risks and challenges. For instance, the field is constantly changing, sometimes
dramatically. Organisations have to constantly check their assets to ensure they are up to the
task and change what is no longer well equipped for current and future business needs.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

“BRING YOUR OWN DEVICE” PROJECT 5
According to Yelby (2013), employee monitoring is a controversial practice, which is
undoubtedly on the rise. Companies find themselves monitoring their employees as a way of
managing risks emanating to employees’ use of communication tools such as laptops and
phones. Technological advances, for instance, mean that employees can more easily use work
resources for personal chores, such as communicating with friends and entertaining
themselves, at the expense of the company. By using company resources, it is easier to
monitor such instances, since they should exclusively be used for work-related duties. With
personal gadgets equipped with organizational software applications and connection, it
becomes much harder, sometimes bordering on invasion of privacy to monitor the same
employees. In the financial services sector, where dedicated secure applications are usual
used to effect transactions, the ability to control every device accessing the system becomes
even more important (Olalere, Abdullah & Mahmod, 2015).
Generally, organizations require their employees not to create or exchange messages
which may be found to be offensive, obscene or inappropriate in the workplace. They should
also not visit websites which carry inappropriate information for the workplace. Sending
confidential information is also regulated, such that employees may not send a confidential
client or other information without clearance first (Vorakulpipat et al., 2017). In creating,
storing and exchanging information, existing copyright law must be considered. The
employee must ensure such activities do not go on. It is also improper to create adverts, chain
letters or other communication that is unauthorized by the organization, especially if it is to
be used for personal ends (Arregui, Maynard & Ahmad, 2016).
The standards above do not form any regulatory framework in the country. But they
are part of industry best practice that must be adhered to in order to properly secure
organizational resources. The organization may refer o the stated standards and find that it is
possible to achieve them while still allowing for the use of personal computers for

“BRING YOUR OWN DEVICE” PROJECT 6
organizational tasks. However, this may prove to be a difficult undertaking, especially in light
of privacy laws, as well as the resources to be expended in ensuring compliance with
company requirements. Financial institutions operate within a strict framework of regulations
meant to ensure the privacy of client information and to ensure compliance with statutory
laws. These laws’ observance should not be limited in application by the use of personal
devices that could well act as a means of breaching the law (Gajar, Ghosh & Rai, 2013).
Project impact on Aztec security posture
In assessing the security risks and other impacts that the project will have on the
security posture at Aztek, it is important to note that the gadgets will be bought by the
employees, and will be used for personal as well as organizational tasks. However, the
organization will be responsible for the rest of the infrastructural and network issues. It will
need to ensure that the devices are well serviced so that they do not impact on organizational
efficiency. At the same time, the organization will be tasked with monitoring their use, to
ensure that they are not used to transfer information contrary to company policy (Coenescu,
2016).
Organizations are right to want more form technology, in the form presented by
Smartphones and other gadgets. They may also not be in a position to provide these devices
to their employees for official use. In rushing to reap the benefits of smart technology, as well
as the cost savings of having employees shoulder the initial acquisition of the device, the firm
should not be blind to the huge security problems that this portends. For instance, the
infrastructural costs to monitor and maintain the devices will be much higher than if they
were company owned. This is because the devices bought will have individual preferences
(Vorakulpipat et al., 2017). They may be of different operating systems, model, capabilities
and other differences.
The main reason behind the project to allow employees use their devices for
organizational duties is to make them pore productive, by giving them the ability to better

“BRING YOUR OWN DEVICE” PROJECT 7
streamline their working routines. However, the streamlining steps were taken, such as the
use of passwords to access sensitive information, and secondary use of the devices, such as
accessing unsecured websites, may have an adverse effect on the organization’s security. This
will further jeopardize the organization's security systems (Yeboah-Boateng & Boaten,
2016).
In the hypothetical scenario whereby the organization does allow the project to
continue, it needs to understand that the security posture then adopted will have to also
conform to employee preferences. After all, it will be selected so that they feel more at ease
working while saving initial acquisition costs of the gadgets. The safeguards which have been
instituted by the company to manage security better will have to be revised so that they can
be better adapted to the employee’s needs, while simultaneously addressing any security
concerns (Keyes, 2013).
The importance of connectivity cannot be downplayed. Employees need to be
connected with fellow employees, their managers, and with clients. Organization – provided
gadgets may not be able to provide this in the seamless way that the personal devices can.
Due to this, the trend has been gaining speed in the market, with more and more
organizations allowing their employees to use personal gadgets for work. This presents an
advantage for Aztek, were it to adopt the project. It will have several other organizations to
look up to in devising its own mechanisms to deal with the security challenges presented.
The performance of the network must be another consideration in determining
whether the project goes ahead or not. An assessment of the potential effect on the network’s
performance regarding efficiency and security must be done before the project goes ahead. If
the prognosis is poor, the organization must then decide on whether to shelve the plan, or
additionally invest in the network in line with recommendations, and therefore make it better
placed to handle the new development. In other instances, it may make the network perform

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

“BRING YOUR OWN DEVICE” PROJECT 8
better, especially when specific safeguards are put in place to limit their access to the network
(Brodin, Rose & Ahlfedt, 2015).
The management of employees in terms of their security clearance and access, as well
as the management of the ICT platform in the organization, will be drastically altered. The
organization must be alive to new challenges that were previously not part of its risk
management portfolio. It must increasingly worry about what employees do privately since
this has a real effect on the security of the organization. In relation to this, the question on the
security of the devices used to access the system must be posed and be satisfactorily
answered. The particular and nature of applications accessed by the devices will be
thoroughly scrutinised. Changes may need to be adapted to make them better equipped to
handle the increased risk level from cyberspace (Assing & Cale, 2013).
Recreational apps must be cleared after their interaction and effect on the
organization’s security have been assessed. For instance, some games that employees enjoy
privately may have security loopholes that can be used to access company data, putting it at
risk. Besides the clearance, the use of these devices both at the workplace and elsewhere will
be a source of concern for the organization. A new framework of management must be
formulated balancing between organizational security, business needs and individual privacy
(Brodin, Rose & Ahlfedt, 2015).
Risk assessment – threats, vulnerabilities, and consequences
Threats
Risk assessment is never about creating so much paperwork but rather identifying
reasonable measures that that will control the risks at the workplace.It should above all help
to decide if a company has covered all its needs not only its employees.It involves the
determination of quantitative or qualitative estimation of a risk related to the defined situation
and a recognized hazard and or threat.Application of the risk assessment is common in

“BRING YOUR OWN DEVICE” PROJECT 9
several fields and these sometimes may have specific legal obligations, codes of practice and
standardized procedures.
One of the major threats facing the project is the presence of bugs which are able to
bypass standard security features adopted by operating systems developers such as Android
or Apple. These bugs may not be easily discovered in the case of personal devices, putting
the company at a bigger risk than if a more easily manageable system was in place. At the
same time, the organization’s employees will bring a broad range of gadgets to the workplace
(Assing & Cale, 2013).
Without specifying the recommended or approved devices, the organization may be
stretched in trying to come up with a system that addresses all the likely bugs and other
threats presented to them. This also involves bug-prone apps that may be installed in phones.
These apps may have security issues, making information insecure. At the same time,
information the apps are extremely hard to track, unless such tracking is voluntary by the
owners of the gadgets (Yeboah-Boateng & Boaten, 2016).
Another eventuality that organizations have to face is the possibility of devices being
lost. Since they are not organizational property, they may not be open to the type of security
measures that would normally secure organization property, such as requiring that their
movement is cleared, or that their usage is in a specific area of the office. At the same time,
lost gadgets mean that a trove of information may easily fall into the wrong hands,
jeopardizing the organization (Brodin, Rose & Ahlfedt, 2015).
Some procedures, known as jail breaking, may undo the security features that a
gadget manufacturer has placed in the machine. In some instances, this may mean that the
gadget becomes a powerful tool to get information for malicious people outside, who may be
using a weakness in the gadget that the organization's security apparatus is still not able to

“BRING YOUR OWN DEVICE” PROJECT 10
address. Compromised devices in this away are different than bugged ones, which can be
resolved through antivirus or normal scanning mechanisms (Gajar, Ghosh & Rai, 2013).
As with any organization, there may be the risk of dishonest employees at the
company. These employees are likely to try everything to gain, at the expense of the
company. With a gadget whose monitoring is as compromised as personal devices, this
becomes a simple affair for the employee. The device is primarily under the control of the
employee, who may not voluntarily give details of their activities on the phone, and, with the
right skills, disable any attempts by the organization to rein in on unauthorised activity on the
system. It may be difficult not only to pinpoint the culprit of breaches perpetrated by these
people, but also difficult to come up with remedies which better address the issue without
limiting the use of personal devices (Garba, Armarego & Murray, 2015).
Vulnerabilities
The vulnerability is the inability of a system or even a unit to withstand the results or
impacts of a hostile environment.A window of vulnerability is a period of time where a
defensive measure is low or even lacking in some situations.Vulnerability expresses the
several dimensionalities of disaster by mainly focusing on the fullness of relationships in a
given environment and situation which gives forth a disaster.
There is an increased vulnerability in terms of losing data. The variety of gadgets used
as well as the inability of the organization to provide a thorough security system may mean
that leakages will become more prevalent. At the same time, the organization may be
required to regularly provide updates for software and operating systems to ensure they are
not vulnerable to attack. This will mean an aggressive and costly posture by the firm in terms
of how it manages security (Keyes, 2013).
As discussed before, it is difficult to determine conclusively whether employees will
voluntarily place the required security protocols before the engage in a unmonitored online

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

“BRING YOUR OWN DEVICE” PROJECT 11
activity, such as accessing unsecured WIFI away from the office and visiting websites which
are not well secured. A huge number of devices have issues related to privacy and security
settings. People may think it is not important to secure them, but the story changes when the
employee has been entrusted with highly valuable and sensitive information. Gadgets may
sometimes be used by more than one person away from work. This again raises the
vulnerability of this project, since such persons cannot be reasonably cleared before viewing
privileged information (Yeboah-Boateng & Boaten, 2016).
The nature of a persona device, when it is employed for work purposes, means that it
is impossible to divide personal issues form business affairs. The vulnerability, in this case,
relates to the danger of the employee inadvertently sharing privileged information, as well as
malicious bugs. These bugs can then easily be introduced into the system by the device, a
factor which will jeopardize the security of the whole system (Garba, Armarego & Murray,
2015).
Some employees do not properly take care of their devices, the way an organization
with a dedicated team of IT experts would. This means that the devices are sometimes not
even locked, nor are there any updates to ensure the security system is up to date. Employees
may also leave their devices unattended, raising the risk of the device being used maliciously
be others to transact business and frame an innocent but negligent person (Priyadarshi, 2013).
The nature of the project is such that the organization will have to make modifications
to its IT infrastructure. These modifications are meant to ensure that the system is able to
handle the new model of operation while maintaining the safety and integrity of the
system.thi may involve securing data, while also ensuring it conforms to current IT policy. In
the process of doing this, some security measures may be removed or otherwise ignored,
despite their importance under the previous regime, to enable the utilization of personal
devices. This likewise opens up the system to more vulnerability (Priyadarshi, 2013).

“BRING YOUR OWN DEVICE” PROJECT 12
Consequences
The vulnerabilities and consequences presented above bring about far-reaching
consequences for the organization and its posture to security risks. The organization will save
on the acquisition of devices brought by its own employees. However, it will need to spend
more to manage better them, and the threats they pose. This involves regular and rigorous
training to employees, as well as monitoring to the permissible standards, to identify the
unauthorised or malicious use of devices within the network (Dhingra, 2016).
Another consequence is the need for a modified network and IT infrastructure sop that
the nature of the devices can be accommodated, as well as the range of threats and
vulnerabilities they present to the organization (Dhingra, 2016).
Existing recommendations
There are several recommendations on how organizations can better address the
issues which face them. A policy change is necessary, to enable a better response to the
stated threats. A VPN is necessary to ensure that prior to enabling access; data transferred to
and from the device is encrypted and otherwise secured. The procurement of an Enterprise
mobility management is also recommended so that the organization can easily monitor and
manage risks in devices before they can compromise the system. Training is recommended to
help employees manage their devices better, and whistle blows on any unbecoming behavior
by others. Investment should also be made to ensure the system is able to handle the new
project (Garba, Armarego & Murray, 2015).
Garba, Armarego, and Murray (2015) appreciate the fact that the “bring your own
device” trend is picking steam, even with all the threats pointed out. Organizations, therefore,
need to proactively look for the environment and come up with a well-defined policy
regarding the devices, rather than hurriedly formulating one after a project such as the one
discussed in this paper is eventually approved. This will give all the relevant parties’
sufficient time to consider any loopholes and fix them.

“BRING YOUR OWN DEVICE” PROJECT 13
Risks for Data security
Protecting your business means protecting your data.Organisations of all sizes
whether small or big worry about the constant barrage of data security threats.To prioritize
these data, a company must identify the information assets by considering the types of
information the company handles on a daily basis.Locate these information assets and listing
where each resides and classifying it.Conducting a threat modeling exercise by rating the
threats that each type of information each faces. Finally, start planning to depend with the set
security thresholds.
To mitigate the risks which may emanate from using personal devices, the type of
information processed should be strictly limited to what is needed. Email use can be allowed,
but access to systems which are used to pass transactions should only be limited to a specific
number of people. The information on email should also not be open to all employees. This
would create a management nightmare, due to the inability of the company to guarantee the
adherence of every employee granted access to the use of personal devices at work (Garba,
Armarego & Murray, 2015).
It is imperative that employees who are given access be cleared first. This clearance
will be done on the basis of their grasp of the security risks that the organization faces as a
result of granting this access, as well as the steps they need to undertake to mitigate better or
avoid these risks. They should be of a minimum level of the hierarchy of the system, so that
they actually need the function, and can be personally held liable for any misuse or other
misconduct (Olalere, Abdullah & Mahmod, 2015).
The type of data should be in such a way that it is not possible to complete a
transaction while using devices over another network. For instance, making or verifying
transactions can only be done at the organization’s premises, at particular times of the day.
There should be no exceptions to the policy. Attempts to use other networks should be
reported by the system, for future investigation either of violation of policy or of suspicious

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

“BRING YOUR OWN DEVICE” PROJECT 14
activity by malicious parties. For those employees who normally have the rights to make and
verify transactions or other entries in the banking system, the rights should be withdrawn in
instances where the employee is using mobile devices such as phones, tablets or others using
easily compromised systems.
In connection with the risks identified above, it is important to identify some of the
risks associated with the proposed structure, and how they can mitigate. The management of
employees to ensure responsible use of information and interaction with the network was
covered before as being a huge managerial challenge, due to the nature of devices being used,
as well as existing laws on infringement of privacy. For instance, it would be impossible to
obtain a log of all the websites that an individual has visited, which would be easy in the case
of a company – owned device (Yelby, 2013).
The inability by the organisation to conclusively guarantee the security of information
emanates from the actions of omission or omission by the employees, normal threats that
would have still need to be dealt with, as well as the fluidity of threats facing the organisation
– from the viewpoint of a hacker, there will be more numerous channels to attack the
organization to gain information that would have been the case before. With this in mind, it is
critical that the organization first builds capacity by upgrading its network capacity, as well
as its security infrastructure. Only then will it be able to set the project rolling (Keyes, 2013)
finally.
Even then, the organization and its employees must always be ever vigilant to address
any vulnerability and mitigate any risks. This includes having the professional conduct
expected of the employees, as well as an understanding of what the risk is, and what is at
stake (Keyes, 2013).
While these are essentially personal devices, of which the organization has no legal
right over, it can still require that employees take some steps to secure their devices. Besides

“BRING YOUR OWN DEVICE” PROJECT 15
the tracking tools and lock mechanisms, it is important for the organization to facilitate
insurance cover for the machines, so that their possible loss does not injure the organization’s
interests. Additionally, there should be a clear and policy on the conduct required from
employees when they are in poseccon of devices linked to the organization, such as personal
recreation.
Finally, the risks associated with employees using their devices at work are explored,
with a view of establishing a practical way of treating the issue, while ensuring that
organizations system security is maintained. Where the organisation is reasonably unable to
guarantee the security of these devices, it should not allow their use for work activities,
regardless of the accompanying efficiency and cost savings considerations.

“BRING YOUR OWN DEVICE” PROJECT 16
References
Arregui, D., Maynard, S., Ahmad, A. (2016). Mitigating BYOD Information Security Risks.
Australasian Conference on Information Systems, 1-11.
Assing, D., Cale, S. (2013). Mobile Access Safety: Beyond BYOD. London: John Wiley &
Sons.
Brodin, M., Rose, J., Åhlfeldt, R. (2015). Management issues for Bring Your Own Device.
In: Proceedings of 12th European, Mediterranean & Middle Eastern Conference on
Information Systems 2015 (EMCIS2015)
Carvalho, M., Rabechini, R. (2015). Impact of risk management on project performance: the
importance of soft skills. International Journal of Production Research, 53(2), 321-
340.
Cotenescu, V. (2016). People, process, and technology; a blend to increase an organization
security posture. Naval Academy Scientific Bulletin, 19(2), 394-396.
Derks, D., Bakker, A. (2010). The impact of email communication on organizational life.
Journal of Psychosocial Research on Cyber Space, 4(1), 4.
Dhingra, M. (2016). Legal Issues in Secure Implementation of Bring Your Own Device
(BYOD). Procedia Computer Science, 78, 1790184.
Gajar, P., Ghosh, A., Rai, S. (2013). bring your own device (byod): security risks and
mitigating strategies. Journal of Global Research in Computer Science, 4(4), 62-70.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

“BRING YOUR OWN DEVICE” PROJECT 17
Garba, A., Armarego, J., Murray, D. (2015). Bring your own device organisational
information security and privacy. ARPN Journal of Engineering and Applied
Sciences, 10(3), 1279-1287.
Kaplan, R., Mikes, A. (2016). Risk Management—the Revealing Hand. Journal of applied
Corporate Finance, 28(1), 8-18.
Keyes, J. (2013). Bring Your Own Devices (BYOD) Survival Guide. Boca Raton: Taylor &
Francis Group.
Olalere, M., Abdullah, M., Mahmod, R. (2015). A Review of Bring Your Own Device on
Security Issues. Sage Open, 5(2), DOI: 10.1177/2158244015580372
Pimchangthong, D., Boonjing, V. (2017). Effects of Risk Management Practice on the
Success of IT Project. Procedia Engineering, 182, 579-586.
Priyadarshi, G. (2013). Leveraging and Securing the Bring Your Own Device and
Technology Approach. ISACA Journal, 4, 1-5.
Teymouri, M., Ashoori, M. (2011). The impact of information technology on risk
management. Procedia Computer Science, 3, 1602-1608.
Vorakulpipat, C et al. (2017). A Policy-Based Framework for Preserving Confidentiality in
BYOD Environments: A Review of Information Security Perspectives. Security and
Communication Networks, DOI: 10.1155/2017/2057260
Yeboah-Boateng, E., Boaten, F. (2016). Bring-Your-Own-Device (BYOD): An Evaluation of
Associated Risks to Corporate Information Security. International Journal in IT and
Engineering, Impact Factor, 4(8), 12-30.
Yelby, J. (2013). Legal and ethical issues of employee monitoring. Online Journal of Applied
Knowledge Management, 1(2), 44-55.

1 out of 17

+13062052269

info@desklib.com

BYOD Security: Risks and Mitigation

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Networked Business Process Management

Risk Assessment: BYOD Policy

Mobile Device Usage in Education

BYOD in Education: A Literature Review

IT Risk Assessment Case Study

Designing BYOD Electronic Examinations