Industry slams standards bodies for lack of BYOD policy

Senior UK IT figures admit that security standards are inadequate, and do not cater for consumerisation trend

Senior figures in the UK IT industry have criticised standards bodies such as the Financial Services Agency (FSA) for failing to keep pace with modern technology trends such as consumerisation.

A panel of experts said that the trend of staff using their personal devices such as iPhones and iPads for work brings security risks that have not been recognised by existing security standards.

"The FSA's standards should include regulations and guidance over BYOD [bring your own device], but at the moment there really isn't anything out there to govern how organisations should protect themselves," said Robert Cockerill, head of IT infrastructure and security at Thames River Capital, a firm which is regulated by the FSA.

Paul Hyland, group information security officer at Ardagh Group agreed.

"BYOD has been around for a while now, and there still isn't anything definitive out there," he said.

"Standards bodies must get on top of this," Hyland added.

However, it appears that this is one area in which public-sector bodies may be better served.

Tony Doyle, head of ICT at Blackpool Council, explained that his council's adoption of consumer devices had been done under the auspices of governmental security standards.

"The GSS [Government Security Secretariat] rules shape and influence how we designed our BYOD scheme," he said.

The Government Security Secretariat coordinates all aspects of protective security policy across government departments, associated bodies and international organisations.

"Using Citrix, we've set up high security, and low security domains," Doyle continued. "User-owned devices are only allowed to connect to the lower security domain."

A spokesman for the FSA said that it isn't the regulator's job to prescribe how firms handle new developments in technology.

"We have high-level principles that require firms to have appropriate systems and controls in place," said the spokesman.

"It's down to firms themselves to decide what's appropriate to govern their information. We can't tell firms how to use their devices."

The panel was part of the Infosecurity conference in London last week.