Sorry, you need to enable JavaScript to visit this website.
Skip to main content

Risk Management of Enterprise Mobility Including Bring Your Own Device

Published June 2013; Latest version April 2019

Executive summary

Enterprise mobility enables employees to perform work in specified business-case scenarios using devices such as smartphones, tablets and laptops while leveraging technologies that facilitate remote access to data. A well designed enterprise mobility strategy can create opportunities for organisations to securely improve customer service delivery, business efficiency and productivity. In addition, employees obtain increased flexibility to perform work regardless of their physical location.

This document is developed to provide senior business representatives with a list of enterprise mobility considerations. These include business cases, regulatory obligations and legislation, available budget and personnel resources, and risk tolerance. Additionally, risk management controls are provided for cyber security practitioners.

This document aims to assist readers to understand and help mitigate the significant risks associated with using devices for work-related purposes that have the potential to expose sensitive data. Risks are primarily due to the likelihood of devices storing unprotected sensitive data being lost or stolen, use of corporately unapproved applications and cloud services to handle sensitive data, inadequate separation between work-related use and personal use of a device, and the organisation having reduced assurance in the integrity and security posture of devices that are not corporately managed. Additional risks arise due to legal liability, regulatory obligations and legislation requiring compliance, and the implications for the organisation’s budget and personnel resources.

Risks can be partially mitigated through a policy outlining the permitted use of devices, including the required behaviour expected from employees, which is complemented by technical risk management controls to enforce the policy and detect violations.

Business cases for enterprise mobility that involve accessing non-sensitive data might permit employees to use their personally owned devices, referred to as Bring Your Own Device (BYOD).

Business cases for enterprise mobility that involve accessing and potentially storing sensitive data might permit employees to use devices that are listed on a corporately approved shortlist of devices. Such devices are partially or completely corporately managed to enforce policy and technical risk management controls. These controls can include preventing unapproved applications from running and accessing sensitive data, applying patches to applications and operating systems in a timely manner, and limiting the ability of employees to use devices that are ‘jailbroken’, ‘rooted’ or otherwise run with administrative privileges. Optionally, some organisations might provide devices to employees, permit a reasonable degree of personal use, and retain ownership of the devices for legal reasons that facilitate the organisation monitoring devices, remotely wiping sensitive data, performing security and legal investigations, and retaining ownership of intellectual property.

Before implementing enterprise mobility for a specific business case, organisations must decide whether applying the chosen risk management controls would result in an acceptable level of residual risk.

Contact details

Organisations or individuals with questions regarding this advice can contact the ACSC by emailing or calling 1300 CYBER1 (1300 292 371).

April 30th, 2019