On 4 February 2013,the German Federal Office for Information Security (Bundesamt für Sicherheitin der Informationstechnik, 'BSI') published a guidance paper providing an overviewof the information technology risks inherentto consumerisation and bring-your-own-device (BYOD)strategies.According to the guidance paper,BYOD strategies allowemployeesto bring their own ITequipmentto a company in orderto use itthere.Unlikewith consumerisation, BYOD allowsthe use of end-consumer devicesthat are not issued by the company on the information network.

Implementation of security measures 

The implementation of security measures for BYOD is sensitive as many users are notready to acceptrestrictionsfortheir own devices orto allow accessto the device by the employer.In particular,security measures inwhich interventions are required so thatthe warranty of the device will expire will usually be difficult to implement.

Therefore,the BSI guidance papersuggests clarifying the following points before developing a BYOD strategy: 

●Whethersuch a strategywill be compatiblewith the security requirements of the company; and 

●Which conditions have to be met, andwhether underthese conditions BYOD will be acceptable forthe employees. Usually,if a BYOD strategy isincompatiblewith the security requirements of a company orif the necessary conditions are unacceptable to the employees,BYOD cannot be implemented. From a security perspective,BYOD also impliesthatthere must be restrictions on the type of device used.

According to the BSI guidance paper,the following typical and practicalsolutions are:

●Restriction ofselected types of devices: Few companies will be in a position to administer and manage an unlimitednumber of different devices, operating systems and applications from a security perspective.Thus,for a BYOD strategy,the types of approved devicesshould be limited.

●Identification of user types: Likewise,the varioustypes of users should be identified.Not every employeewill necessarily use their own devices and the motivation to do so could be very different.Therefore,it may make sense to create differentrules forthe various user groups.Many employees may justwantto be able to check their calendarswhen travelling. Forsuch uses, security compliantsolutions can be found quite easily.Cases, however,where employeeswould like to be able to perform administrative access requestsremotely from a smartphone, may be much more difficultto solve from a security perspective.