ITC596 IT Risk Management : Bring Your Own Device Technology

1. Improved  productivity – research has indicated that business that have embraced experience increased business productivity
2. Enhanced flexibility – mobile devices attract a business workforce in that they can work from wherever they could be. They can access company network remotely with a variety of hand-held computing devices

• Decreased hardware asset procurement – a modern business cannot survive without computer technology including software and hardware. By allowing BYOD implementation organizations don’t require to purchase hardware for use in the business since employees use their own devices hence lessening hardware acquisition costs for the business

1. Cost reductions – as stated above an organization is able to minimize hardware software and acquisition which helps the entire business cut on expenses by tasking employees with such responsibility
2. Cheaper device and infrastructure maintenance
3. Organizational staff are already experienced in using their own devices and won’t require training and help desk support. In addition, staff always ensure that their devices are updated to the latest patches and other software updates which is beneficial for the company.

4.0 Financial services sector review

Technology has brought in numerous advantages for financial businesses (Celik, 2013). Bring Your Own Device (BYOD) as an emerging technology is there on the rise in being adopted by many industries, however the financial industry has embraced BYOD much more that other sectors (Nerney, 2016). Because of a growing and ever expanding BYOD concept, it is important that financial services sector must also adopt the technology (Lund & Silva, 2015).

Like mentioned before, some organizations that allow BYOD are not bothered with the data security issue which is very risky.  Like other industries, many financial institutes are also taking necessary precautions with mobile device usage by employees which is also hazardous.  According to a current survey (Advisor, 2017), more than two-thirds of financial establishments are yet to optimize and install enterprise related mobile device management with regard to BYOD adoption (Winjnhoven & Wassenaar, 2010).

4.1 Industry compliance and government policies 

An Australian government agency for managing information management in the workplace,  (AGIMO) is on the edge of allowing  a strategy document  for increasing mobility technology that will include tablets, smartphones, notebooks, mobile applications for governmental departments and public servants (Trevor, 2013). For financial institutes, BYOD embracing starts with looking into governmental policies and compliance standards that could guide its adoption. Therefore, organizations should first and foremost assess the end-to-end effects of BYOD in the business, chiefly in terms of privacy, security, compliance, data access, content and workforce mobile device usage guidelines. In addition, financial organizations need to choose the right service providers for maximum scalability, flexibility BYOD deployment management and solutions (Framingham, Gens, Levitas, & Segal, 2011). It is important to have a wide range of partners, service workers and recognized professional experts knowledgeable in mobility services, networks and security to assist organizations in ensuring better BYOD management.

4.0 Impacts of adopting BYOD for Aztec 

Organizations are   increasingly opening their data and information systems to mobile devices including smart phones, notebooks, personal digital assistants (PDAs), iPads and others. This trend has created the BYOD technology that is also referred to as IT ‘consumerization’ in the workplace. Both organizational customers and the workforce are now favoring the performing and accomplishing tasks through the use of their own individual devices over devices provided by an organization (Framingham, Gens, Levitas, & Segal, 2011). Bring your own device (BYOD) paradigm is therefore is a rising development for business IT. There are several benefits for permitting users to carry and use their personal devices to work as well as some concerns including data security issues (Bradley, 2011).

Many financial organizations embrace bring your own device (BYOD) with the notion that the technology will help them in reducing operational costs (Miller, 2016). However the real value of bring your own device (BYOD) technology is to enhance employee experience and satisfaction as well as quickening technical adoption in an organization. With happy and satisfied employees, there results business productivity. Implementing BYOD for financial organizations is a bit more sensitive as it involves more than shifting company infrastructure to employees owned devices.  It involves hidden and   complicated impacts, in that policies and procedures need to be laid out in well-defined processes before BYOD adoption (Miller, 2016). Preliminary success for any BYOD deployment, a business has to do enough preparation with regards to complex requirements and risk management procedures.  The two major important factors to consider in trying to implement bring your own device technology at the early stages include security (BankTech, 2013). Lack of security procedures with BYOD implementation can have adverse effects for a business and can even lead to downtime.  The other critical factor has to do with legal compliance policies. It is crucial to establish trust models in terms of understanding what the BYOD technology means with regard to legal obligations (BankTech, 2013). 

Technology deployment in a business provides a lot of business changes. In this case, deploying BYOD at Aztek can have either advantages as well as provide some risks. However risks can be prevented before they occur by installing controls to detect and avoid them in the company.  

5.1 Benefits of BYOD implementation

• Increased employee satisfaction. If staff are allowed to use their own technology, it increases their work experience s which motivates to work more responsibly and efficiently which will in turn improve productivity  for Aztek company
• Reduce hardware and software acquisition costs since employees will be using their own devices. This means that Aztek company will not need to buy mobile devices for the company reducing business expenses
• Reduction in maintenance expenses. Aztek will only need to maintain the devices that belong to the organization since employees will take care of the maintenance of their own devices
• Mobility leading to increased business flexibility. since employees are allowed to use their own technology, they can  perform work remotely from anywhere including at home and on commute which improves business efficiency
• Aztek will gain a competitive advantage since by adopting BYOD they will be embracing the digital shift which is increasingly improving all business functions in terms of how businesses engage with existing and prospective customers as well as partners and stakeholders.

5.2 Threats and Vulnerabilities

Many technology advances come with a share of risks. This is because of the fact that modern technologies are accessed through the Internet that connects all categories of networks and users including fraudulent users.  As a result, data security breaches are on the increase.  The recent ransom ware attack, wanna cry saw organizations including financial agencies suffer data and financial loss for organizations in over 150 countries (Woollaston, 2017).  Major risks associated with adopting BYOD for Aztek could include the following;  

• Data insecurity from hackers
• Lack of proper security controls in employee devices
• Lack of proper mobile device usage could bring in data security  susceptibilities
• Mobile device theft since employees use them outside the organizations which can lead to data access by the wrong hands
• BYOD pressures the ICT department to be acquainted with a wide range of mobile gadgets in an effort to link them to the company network since every individual person in the organization will have a different version of a cell phone, notebook or tablet.
• Some  companies may be using applications that cannot be installed or are not compatible with particular mobile computing devices that employees bring into the business  which could make business procedures stop and affect business performance   

6.0 Data security risks 

Disputably, a huge concern for BYOD adoption in a financial institution is data and information security (Pillay, et al., 2013).  The use of personal devices therefore introduces a lot of risks for the organization. Data security could include the following

• Data loss – employees can easily lose company data as they carry the devices outside company premises
• Data leakage – since individuals are using their own data, it easy to leak company information easily to unauthorized sources which could harm the organization
• Lack of management and control over devices and data contained in them  – the organization is limited in controlling and managing employees personal devices
• Susceptibilities due to malicious software installations by users which could harm the organization by creating risks

Therefore, for financial establishments, data security risks and other data compromises, prompts organizational management to upgrade urgency in enabling the setting up of a robust secure environment for BYOD implementation

7. 0 Risk management  

Risk assessment   refers to an evaluation of IT methodologies that are used to manage risks. Risk management can also be defined as activities that combine risks identification, risk evaluation, strategies to cope with risk and mitigation possibilities (Berg, 2010).  As far as organizations are concerned, they can be faced with very many risks factors and therefore require risk management procedures. BYOD brings about many risks as discussed above. It is therefore crucial for organizations including Aztek to have ways to identify and manage those risks.

7.1 Major IT Control Frameworks

• Personally owned, company enabled - BYOD devices can fall in the the POCE group framework category where they purchased or acquired by an individual but controlled by an organization to ensure security (Hassell, 2012).
• Corporate owned, personally enabled – BYOD control and management can also be under COPE category where they owned by an organization but used privately by an individual employee (Hassell, 2012).

7.2 Other existing BYOD control considerations  

• Security procedures and policies - include setting security policies for organizational to control acceptable BYOD devices and   informing employees of standardized security practices to follow.
• Security culture – involves a set of collaboration, thinking and behaviors amongst employees with regard to how they understand their role towards decreasing data security risks (Thomson, 2010).
• Security Strategy – includes well defined approach to ensure that BYOD application will boost employee productivity and satisfaction without  creating risks (Siponen, 2006)
• Security controls – combined with security strategy, security controls reduce BYOD risks, threats and associated vulnerabilities.
• Security training and awareness - educate users on the importance of and security implementation in their devices (Crossler & Belanger, 2009).

Data security approaches

Technology will keep on advancing creating more complexities and concerns such as data security concerns. Improved technologies also mean that hackers and intruders also get access to upgraded intrusion tactics.  Organizations that embrace BYOD have to therefore a secure BYOD   environment (Paloma, 2013).  Organizations such as Aztek can use the following policies to ensure a safe BYOD environment

• Integrated policies and procedures control and management:  policy and procedures allow data, systems and applications security   by authenticating and authorizing the users. It will therefore be important for Aztek to deploy policies to manage mobile device usage to ensure a secure BYOD environment
• Another way to enable a secure BYOD environment is to ensure corporate network and access security services. BYOD success requires that ICT unit in the business provide the right levels of network and security access to the business network in this case based on each user device and profile. Company employees at Aztek should  also be able to securely  access the suitable  data, services and applications  by use of encryption protocols and authentication factors
• Implementing additional levels of security in employee devices with access procedures as well as employee devices owned by the company. This proves   essential in ensuring protection of delicate data in the company.
• Mobile device management(MDM) which  permits  ICT department to monitor devices connected to the organizational  and hence  deny access  from suspicious devices and applications as well as deleting access of employee device that have been reported stolen
• Ensure secure data communications by using secure  encryption  standards between mobile devices and company network substructures including wireless and wired networks

Conclusion: 

BYOD implementation is more and more on the rise (Cisco, 2012). There includes valid motives why some organizations would consider embracing bring your own device (BYOD) approach such as to save costs and maintenance of IT resources. Also, mobile computing devices are progressively on the increase in the world today. On one hand, consumers feel at ease when using their own devices to access organization networks which as stated above is very beneficial for the businesses especially the financial institutions.  However, on the other hand, organizations need to take into consideration the security measures of mobile device computing and as well as compliance obligations governing mobile device usage.  Several organizations have already concluded that BYOD adoption is worth the risks. Others are yet to embrace BYOD technology as they probably tend to conclude the risks involved could be too much for the business.  As such, it suffices that BYOD adoption is a matter of an organization weighing the pros and cons of implementation and then deciding on whether to allow the technology or not.  Those that allow BYOD adoption need to enforce procedures for data security such as mobile device management and requiring that mobile device access to the company network is monitored and controlled by IT personnel. With this, they will be able to reduce infrastructure costs and IT resources maintenance fees. Conversely, organizations that choose not to embrace BYOD may be able to control data security at a higher level and deal with IT resources procurement and maintenance costs. Whatever option an organization goes by, it is important to note that technology will continuously develop and that together with such advances are associated risks. The important thing is to develop procedures that will help the business manage the likelihood of such risks.

Recommendation: 

The risk assessment lead recommend that Atzek takes on the adoption of BYOD in the organization so as to save on expenses associated with procuring and maintain IT resources. Such a move will also enable Atzek create a satisfactory working environment for its workforce. As for risks, threats and susceptibilities that could be associated with such implementation, the business can install methodologies that will entirely prevent as well as lessen BYOD implementation risks such as mobile device management, encryption protocols, device authentication and authorization. This will enable conforming to the digital revolution as well as safeguarding organizational data and information

Reference:

Advisor. (2017, January 3). 23 BYOD Statistics You Should Be Familiar With. Retrieved from www.ingrammicroadvisor.com: https://www.ingrammicroadvisor.com/data-center/23-byod-statistics-you-should-be-familiar-with

BankTech. (2013, June 13 ). Preparing Your Bank for BYOD. Retrieved from www.banktech.com: https://www.banktech.com/channels/preparing-your-bank-for-byod/a/d-id/1295146?

Berg, P. (2010, June ). RISK MANAGEMENT: PROCEDURES, METHODS AND EXPERIENCES . Retrieved from https://www.gnedenko-forum.org/Journal/2010/022010/RTA_2_2010-09.pdf

Bodley-Scott, J. (2014, June 11). BYOD for the financial services sector - are you ready? Retrieved from www.bobsguide.com: https://www.bobsguide.com/guide/news/2014/Jun/11/byod-for-the-financial-services-sector-are-you-ready/

Bradley, T. (2011, December 20). Pros and Cons of Bringing Your Own Device to Work. Retrieved from PC World: https://www.pcworld.com/article/246760/pros_and_cons_of_byod_bring_your_own_device_.html

Celik, H. (2013). The Impacts of Information Technologies on Financial Institutions. Globalization of Financial Institutions, 175-183.

Cisco. (2012). Introduction: BYOD Has Gone Global. Retrieved from www.cisco.com: https://www.cisco.com/c/dam/en_us/about/ac79/docs/re/BYOD_Horizons-Global.pdf

ComputerSolutions. (2017, October 2). THE PROS & CONS OF BYOD IN THE WORKPLACE. Retrieved from www.ezcomputersolutions.com: https://www.ezcomputersolutions.com/blog/the-pros-cons-of-byod/

Crossler, E., & Belanger, F. (2009). The Effects of Security Education Training and Awareness. Journal of Information System Security , 3-22.

Framingham, M., Gens, F., Levitas, D., & Segal, R. (2011). Consumerization of IT study:Closing the consumerization gap. Retrieved from International Data Corporation.

Garlati, C. (2011). Trend micro consumerization report 2011. Retrieved from www.bringyourownit.com: https://bringyourownit.com/2011/09/26/trend-micro-consumerization-report-2011/

Hassell, J. (2012, May 17). 7 Tips for Establishing a Successful BYOD Policy. Retrieved from www.cio.com: https://www.cio.com/article/2395944/consumer-technology/7-tips-for-establishing-a-successful-byod-policy.html

Hurst, B. (2012, August 6). Happiness Is … Bringing Your Own Computer Devices to Work. Retrieved from www.retailwire.com: https://www.retailwire.com/discussion/happiness-is-bringing-your-own-computer-devices-to-work/

IBM. (2017, October 3). IBM Mobile solutions . Retrieved from www.ibm.com: https://www.ibm.com/mobile/

Jeff, J. (2012, August 2). BYOD: Organizations Question Risk vs Benefit. Retrieved from Microsoft: https://cloudblogs.microsoft.com/microsoftsecure/2012/08/02/byod-organizations-question-risk-vs-benefit/

Lund, D., & Silva, J. (2015, October ). Financial Services Optimizing BYOD Strategies for Success. Retrieved from www.business.att.com: https://www.business.att.com/content/whitepaper/optimizing-byod-strategies-for-success-whitepaper.pdf

Mielach, D. (2012, April 26). Worker BYOD: A Double-Edged Sword for Employers. Retrieved from www.businessnewsdaily.com: https://www.businessnewsdaily.com/2423-byod-risk-benefits.html

Miller, D. (2016, December 29). Can BYOD Work for Banks? Retrieved from www.ericom.com: https://www.ericom.com/communities/blog/can-byod-work-for-banks-and-financial-institutions

Monnappa, A. (2016, December 1). What is BYOD (Bring Your Own Device) and Why Is It Important? Retrieved from www.simplilearn.com: https://www.simplilearn.com/what-is-byod-and-why-it-is-important-article

Nerney, C. (2016, November 25). BYOD policy for financial firms. Retrieved from www.mobilebusinessinsights.com: https://mobilebusinessinsights.com/2016/11/byod-policy-for-financial-firms/

Paloma, J. (2013, February 19). A Secure BYOD Environment. Retrieved from Microsoft : https://technet.microsoft.com/en-us/security/jj991910.aspx

Pillay, A., Nham, E., Tan, G., Diaki, H., Senanayake, S., & Saurabh, D. (2013). Does BYOD increase risks or drive benefits? Retrieved from minerva-access.unimelb.edu.au: https://minerva-access.unimelb.edu.au/bitstream/handle/11343/33345/300314_2013_tan_risk.pdf?sequence=1

Siponen, M. (2006). Information Security Standards Focus on the Existence of Process, Not Its. Communications of the ACM, 8-19 .

Thomson, K. (2010). “Information Security Conscience: a precondition to an Information Security Culture. Journal of Information System Security, 3-19.

TrendMicro. (2012). Enterprise readiness of consumer mobile platforms. Retrieved from www.trendmicro.com: https://www.trendmicro.de/cloud-content/us/pdfs/business/reports/rpt_enterprise_readiness_consumerization_mobile_p

Trevor, C. (2013, February 25). Public servants to soon know if they can BYO devices to work. Retrieved from The Sydney Morning Herald: https://www.smh.com.au/it-pro/government-it/public-servants-to-soon-know-if-they-can-byo-devices-to-work-20130225-2f1uk.html

Winjnhoven, A., & Wassenaar, D. (2010). Impact of Information Technology on Organizations: The State of the. lnfernational Journal of lnformafion Management , 35-53.

Woollaston, V. (2017, May 22). WannaCry ransomware: what is it and how to protect yourself. Retrieved from www.wired.co.uk: https://www.wired.co.uk/article/wannacry-ransomware-virus-patch