January’s awareness topic: IoT and BYOD security
Outline and scope
From the average employee’s perspective, Bring Your Own Device is simply a matter of working on their choice of IT devices rather than being stucky with those provided by the
What difference would that make? Good question!
There are numerous differences in fact, some of which have substantial implications for information risk and security. For example:
Ownership and control of the BYOD device is distinct from ownership and control of the corporate data;
The lines between business use and personal life, and data, are blurred;
The organization and workers may have differing, perhaps even conflicting expectations and requirements concerning security and privacy;
Granting access to the corporate network, systems, applications and data by assorted devices, most of which are portable and often remote, markedly
changes the organization’s cyber-risk profile;
Increasing technical diversity and complexity leads to concerns over supportability, management, monitoring etc.
In similar fashion, in the business context, the Internet of Things is more than just allowing assorted things to be connected to and accessed through the Internet and/or corporate networks. Securing things is distinctly challenging when the devices are
technically and physically diverse, often inaccessible with limited storage, processing and other capabilities (cybersecurity in particular). If they are delivering business- or safety
-critical functions, the associated risks may be serious or grave.
January’s security awareness module is intended to:
Introduce IoT and BYOD, establishing the technology, home and business contexts, and drawing out the information and other risks;
Explain a plethora of information security controls relevant to IoT and BYOD;
Motivate IoT and BYOD users to recognize and deal with the information risks, appropriately;
Help managers and specialists appreciate both the risks and the opportunities presented by IoT and BYOD, developing and implementing
corporate approaches, strategies, policies and procedures accordingly.
Think about your learning objectives in relation to IoT and BYOD security.
Are there any specific concerns, perhaps recent incidents or recurrent issues that need to be understood and addressed more effectively? Are things used in your buildings, perhaps on the shop floor and warehouses? Are
workers using wearables for work purposes … or simply because they love their shiny toys? Despite the obvious technical nature of the topic, these are
all good reasons to spread awareness far beyond the IT Department and even traditional IT users this month, and they are potential sources of relevant
anecdotes, case study materials, perhaps even guest speakers for your awareness sessions.
By the way, if management essentially has no idea which devices and things are in use, by whom, where and for what purposes within the organization,
that alone begs governance questions about their control, ownership and security. Compiling and maintaining an inventory is not an unreasonable place
to start … but who should take on that responsibility? Perhaps the generic job description provided in the module is worth hawking around the exec suite.
Get this module
Subscribe to the NoticeBored service to receive January’s awareness module. There are briefings, seminar presentations, quizzes and competitions,
checklists, posters, policies and more, a wealth of creative awareness materials, all fully editable and customizable to suit your specific situation and purposes.
NoticeBored subscribers also receive InfoSec 101, a set of information risk and security policy templates, and further modules on a market-leading range of security awareness topics - something topical, fresh and exciting every month.
Email us to set the ball rolling. We’re keen to sign you up and get you going, quickly.
Nurturing the corporate security culture through awareness
Subscribe to NoticeBored for fresh perspectives on information risk and security within the corporate context. NoticeBored picks up on the strategic,
governance, compliance and business aspects, particularly in the management stream of course but the principles underpin the general staff and
professional streams too. Information is a valuable and yet vulnerable asset that needs to be protected and legitimately exploited for sound business
reasons - not just for compliance purposes, for ‘cybersecurity’ or because we say so! Properly done, information risk management is a business enabler,
with security awareness a vital part of the approach - particularly, of course, in topics such as social engineering and fraud.
Track our progress on next month’s awareness module, through the NoticeBored blog.