Guidance on Bring Your Own Device (BYOD) for Charities

Bring Your Own Device (BYOD) is a widespread term for when a company allows employees to use their own devices for work purposes. This could include desktops, laptops or mobile devices such as phones and tablets.

During and since the Coronavirus pandemic, many people, both volunteers and employees are not in their workplace, but instead working from home or a combination of work and home. Many people are also having to use their own personal laptop or phone for work purposes.

Although there may be significant financial savings to be had by allowing staff to use personal computers and phones for work, there are also some serious risks to an organisation’s security and privacy.

By allowing remote access to your company by devices that you do not control (non company owned computers and phones), you increase the risk of material being used by someone for purposes you may not authorise or agree. Company information could be copied, modified, transferred to your competitors or just made public.

While a member of staff is working from their own computer, it is possible that a social media app recently downloaded or already active could vacuum up the work contact database, sharing identifiable information of clients which by law would need their consent to pass onto a third party. This could inadvertently result in a *data protection violation.

Another risk is that the owner of the computer may install Apps from unsavory or insecure sources perhaps not even realizing the risks and this could make your company files vulnerable to attacks from *malware . Failing to update a device can also leave it open to security threats.

The owner of the computer may leave their device lying around unsecured (after all they are at home). They may allow friends and family to use it. What happens if the device gets lost or stolen?

How do you control the contents and access of a private device if your employee leaves your company? how will you ensure your information is erased? What if your employee sells their device with your company information still accessible?

How are you to know where this device even is?

There are some simple things you can do to take back control and protect your company’s information.

The easiest thing you can do is write and enforce a Bring Your Own Device (BYOD) policy.

This does not have to be a complicated document, it should address the use of personal devices that connect to organisational networks, whether that be physical or cloud services eg Microsoft 365. In relation to apps, the policy is only concerned with those apps that interact with organisational data and services.

Here are some suggestions that could be included in the policy:

The Operating System and apps must be fully supported by the manufacturer and receive security updates.
Software based firewalls are activated and configured correctly.
Auto Security update should be applied. Where this is not possible security updates must be installed within 14 days.
Cyber Essentials password controls are applied to users own devices (BYODs).
Users logging in, have a day-to-day account, and this is separate to the administrator account.
The device automatically locks when not in use.
The device must have an 8 digit or more pin/pass code (Use a *biometric if available as well).

Apps should only be installed from the manufactures respective store.
Anti-malware software is installed on all laptops and desktops.
Unused apps should be uninstalled
If lost or stolen, it must be reported to the business promptly.
*Rooting or *Jailbreak is not permitted.

Provide a list of allowed applications that staff can download on their devices with the purpose of interacting with organisational services and data.

For further risk reduction you could look at:

Mobile Device Management software (MDM) allows you to monitor, manage, and secure employees’ mobile devices. This gives you full control but comes at a price!
The use of a corporate Virtual Private Network (VPN) could be considered. This will allow users of BYOD to transfer their internet boundary wherever they are to a firewall that is under the control of the company. (A corporate VPN is a full tunnel, host-to-site or site-to-site VPN that is always-on when accessing organisational services or data. )
A remote erase and tracking app could be installed and activated so you can track a lost device, lock access and erase data.
Consider *encrypting devices.

So, before allowing private computers and phones to access your company information, be aware of the hidden costs (subscription, updates, limitations) and risks around your data and make a balanced judgement. If this is a subject you need support with, seek advice from an independent IT security service company.

*Definitions.

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). Strict laws determine how you store people’s contact details and personal information.

Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of types of malware exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, and scareware.

Biometrics are unique identifiers such as fingerprints, face, iris and/or voice, already being used instead of passwords to make human identity authentication a bit more secure.

To encrypt your device means that every time you power your device on, you’ll need either a numeric pin or password to decrypt the device. An encrypted device is far more secure than an unencrypted one. When encrypted, the only way to get into the phone is with the encryption key.

Jailbreaking is the process of removing the limitations put in place by a device’s manufacturer. Jailbreaking is generally performed on Apple iOS devices, such as the iPhone or iPad. Jailbreaking removes the restrictions Apple puts in place, allowing you to install third-party software from outside the app store. Essentially, jailbreaking allows you to use software that Apple doesn’t approve.

Rooting is the process of gaining “root access” to a device. Similar to Jailbreaking, but this is generally performed on Android devices.

Cookie	Type	Duration	Description
cookielawinfo-checkbox-analytics		1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-analytics	persistent	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary		1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-necessary	persistent	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary		1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non-necessary".
cookielawinfo-checkbox-non-necessary	persistent	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non-necessary".
CookieLawInfoConsent		1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
geot_country		1 year 1 month 4 days	Used to define what country is attributed to you to aid showing the correct content.
PHPSESSID		session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy		1 year	The GDPR Cookie Consent plugin sets the cookie to store whether or not the user has consented to use cookies. It does not store any personal data.

Cookie	Type	Duration	Description
__cfduid		1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__cfduid	persistent	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
_ga		2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga	persistent	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag		1 minute	Used to throttle too many requests from being issued within a short time. This is part of the Google Analytics suite of services.
_gat_gtag	persistent	1 minute	Used to throttle too many requests from being issued within a short time. This is part of the Google Analytics suite of services.
_gid		1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
_gid	persistent	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
_hjAbsoluteSessionInProgress	persistent	30 minutes	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	Session	1 year	This is set to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	persistent	365 days	Hotjar cookie that is set when the customer first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
ajs_anonymous_id	persistent	365 days	This cookie is set by Segment as a randomly generated ID for anonymous users.

Cookie	Duration	Description
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_hjSession_*	30 minutes	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.

Guidance on Bring Your Own Device (BYOD) for Charities

Search Blog

Categories

Archives

Cyber First

Living Wage

Cyber Scheme

National Cyber Awards 2022

Armed Forces Covenant

BSI