GovInnovate Brief

Managing security threats for BYOD policies in 2016

Posted by GovInnovate Team on 22-Dec-2015 11:01:02


The private sector isn’t looking to slowdown it’s uptake of bring your own device (BYOD) policies anytime soon, with 48% of enterprises currently transitioning to a BYOD policy and a further 23% stating that they will have a BYOD policy implemented within two years.

But will the public sector be so fast to introduce BYOD in 2016?

Government departments require different software solutions to the private sector, and although security is one of the biggest issues for businesses when it comes to the use of personal mobile devices, security threats are one of the major hurdles preventing government departments across the globe from introducing BYOD policies.

Prime Minister Malcolm Turnbull made headlines a few months ago with his unprecedented use of private email servers, bringing to light many questions about classified material being compromised when sent through private devices.

The below will provide a breakdown of the main security considerations every government department needs to know before going all in on BYOD.


Mobile device security policies & system threat models

Malcolm Turnbull wasn’t the only politician to be caught out in a BYOD debacle this year. The former US Secretary, Hillary Clinton was caught out earlier this year when she used her private email server to get work done. Clinton said she used her personal account out of convenience, stating that she was aware of classification requirements and didn’t send any sensitive information. You can read more about the story here.

In this case, Clinton was fortunate that restricted information wasn’t released, but in both the case of Malcolm Turnbull and Hilary Clinton, it is clear that guidelines and security policies need to be put in place before employees start to use their own devices for conducting work.

One of the first steps to ensuring you don’t make yourself vulnerable to potential threats is to implement a mobile device security policy. This policy should define which resources can be accessed via mobile devices, which mobile devices can access those resources, and to what degree of access those devices should have.

The security plan should stipulate the rules for organisation issued devices when compared to personally owned devices, and this policy should be documented in any already existing system security plans to ensure guidelines are adhered to.

Once you’ve laid out your mobile device security policy, the next step is to undergo threat modelling to identify security requirements. This is an important step to take before implementing any BYOD policy as this will ensure your mobile device solutions are certain to meetcr security needs.

Threat modelling requires an organisation to identify resources of interest and the potential ways they may be breached, this may include:

  • Any feasible threat
  • Vulnerabilities
  • Security controls related to resources
  • Impact of a potential attack
  • Identifying where security controls need to be improved or added

Threat modelling will enable your department to identify major vulnerabilities and to ensure security measures compensate for this. Once you’ve developed your mobile security policy and developed threat models for vulnerabilities, you can now start to work on how to differentiate personal data and work data within personal devices.

Determining the crossover between personal and work data

Security is top of mind when it comes to BYOD, as the crossover between work data and personal data begins to blur. Devices that interact with secured networks need to be fitted with mobile device management (MDM) software systems that allow easy access to networks while also ensuring sufficient security measures. 

The more your agency begins to rely on mobile devices, the more you will have to consider potential vulnerabilities including malware, intrusions and viruses that can infect personal devices.

One of the biggest challenges is working around the potential data breaches that may occur, but this may have already been rectified by the implementation of a clear mobile device security policy. But what happens if a personal devise with work data on it is lost or stolen? Will agency IT be given the authority to remotely delete all contents of the phone? And if this is to occur, how can we determine the crossover between personal and work data?

If it the case, as stated by Malcolm Turnbull, that: “classified information can only be exchanged through government systems”, then this may be seen to mitigate some of the risks, as new technologies including encryption make it difficult to breach data.

Turnbull has defended his use of the secure app Wickr, stating that the messaging app offers a “much higher degree of security” when compared to government services. But the question this poses is: are all government parties privy to classified information as technologically savvy as our digitally transforming PM?

Regardless, advances in technology can improve the efficiency of security processes by providing authentication through unique token identifiers per individual, and new technologies including voice recognition may also help to secure data.

If you can establish clear guidelines on what is considered personal and what isn’t, one of the biggest ways to ensure personal data isn’t compromised when a device is lost or stolen is to implement cloud-based services with remote access to networks.

Implementing cloud-based services for remote access to data

The loss of control of restricted information may at first be seen as an unsolvable task when it comes to the accessibility of data and how it will be shared through mobile devices. Developments in cloud technology may help to mitigate some of these threats if a personal device is lost or stolen.

The cloud offers a cost-effective and secure solution to the ‘work anywhere’ trend. In 2014, the government released its Cloud Computing Policy as it saw the benefit of adopting a ‘cloud first’ approach to ICT. The aim here was to lead by example when using cloud services to reduce costs, lift productivity and develop better services.

There are many Australian based IT providers that offer custom government cloud solutions that get your department to the cloud securely and reliably, and remarkably, Australia is ahead of the globe when it comes to cloud adoption, but the challenge is integrating the cloud with BYOD policies. 

Cloud services can support resource sharing and common standards across agencies, and the cloud may help to create a bridge between adopting transformational technologies that reduce operating costs, while also maintaining the security of the network.

2016 will show whether or not improvements to cloud technology including stronger authentication for cloud-based services will help to alleviate the barriers to BYOD in the public sector.



Amidst the Government’s Digital Transformation Strategy, it is clear that department’s across the nation need to keep pace with innovations in technology to provide faster and more efficient services. 

One of the best ways to deliver great digital services is to implement a BYOD policy to allow employees to work “anytime, and anywhere”.

The biggest setbacks to government departments implementing a BYOD policy is the potential risks and vulnerabilities that may occur when classified information is accessed through personal devices.

Developing a mobile device security policy and conducting threat modelling would be the first steps in ensuring personal devices are not vulnerable to risks. Secondly, determining clear barriers between personal and work data is essential in the case of lost or stolen devices, and one of the best ways to mitigate that risk is by utilising cloud-based services.

What will 2016 hold for BYOD in the public sector? Let us know your predictions, or if you think there are new advancements in the BYOD space not discussed here.



Topics: Mobile Encryption, BYOD for Government, Malcolm Turnbull, Mobile Device Threat Modelling, Cloud-Based Services, BYOD, Mobile Device Security Policy, Mobile Device Management, Remote Access to Data, Digital Transformation

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all