BYOD, CYOD, COPE, COBO, COSU: Ethical Challenges

so there are many uh organizations they are currently uh facing some ethical challenges related to bring your own device choose your own device and multiple other uh types of devices the challenge over here that coid changed many things including the people perceptions as well this is my device and organization uh cannot tell me that what to install what not to install because I'm I'm the owner of this device and the agenda for today we will talk about understanding first of all what are the key differences so in a private organization so for example I work in at Westcliff University back in United States of America it is cyber security the US Army and the seal Navid officers sometimes

when they bring their own device uh to the company they often ask me a question that you told us that okay let's install virtual machine Let's install this software but who is responsible if a damage will happen do I have to install any additional softwares on my system so my answer to that uh question is we have to follow the university policies you have to sign the policy if you believe that our policy is not aligned with your goals then there is no need to install any software regardless as who is telling you because at the end of the day uh if we are not reading the policies and we are just installing some of the critical

softwares on our machine we are responsible we are the host on our system we are the end users we are responsible for any damage then we will talk about ethical landscape challenges case studies I have two major case studies one from KU university back from Emirates and then the other one is the ethical challenges faced in uh Canadian schools as well then at the end if we have any questions uh we can share our knowledge further so first of all bring your own device everyone loves to bring their device reason they feel more comfortable then now where are the folders it's more less like our home at our home we know where is the bedroom where is the

kitchen where is the living room and that's called bring your own device because you know all the softwares you have installed on your system every single software you have installed on your system simply listening what you are doing on your system they have full control on your system because you are allowing someone a stranger to come to your home and be a part of your family and here your family is your device that is bring your own device now choose your own device in a typical company environment there are two types of people Technical and non-technical for a non-technical person they just need a device the device which is working and the device which will not allow them to

send a messages on Monday morning that my password is not working that's the main concern so in choose your own device uh people always always have a big dilemma whether I should have Mac OS Windows Linux or maybe in a modernization we have obun to parot operating system so the people those who are not technical they need training as well that's where user awareness training plays an important role in choose your own device because as a user if this is my first day at work I will choose the most expensive device from the company because I want to click a photo put it on LinkedIn put it on WhatsApp get some likes comments right so then after it comes to

corporate on personally enabled employees use company provided devices for both work and personal use this is one of the critical device uh I have personally seen in the last couple of years for example I'm working at Westcliff University now I have a Talis internet at home I'm using their email address to connect all of my services my bank account my tellers and my utility bills one day I got an email you're no longer a part of this University we don't need you anymore we find somebody better because we are replaceable we are not the permanent uh human in the company we are just an employee an employee could be replaced at any time then what happened I don't know as

a as a human being uh we are complicated and we don't know which uh platforms I have used Westcliff University email now my data has been compromised now I have to be pretty much sure that I should avoid corporate own personally enabled device at any circumstances because this device you are using for your personal use and The Business use at the same time and you're making the system most more vulnerable you are trying to mix your family whom you are living at home anyone your brother sister your parents your kids or your cat and dog they are a part of a family as well now you went to work you saw another cute cat or a cute dog you

bring them as home as well what happened there will be a fight right a strangers are coming to your home and they don't like your approach as well that you're giving importance to some other people so over here we have to make sure that we can avoid this thing uh because companies what they do any desk and some of the other uh critical softwares they can install on your laptop they check your activity every single minute micromanagement is in in some company's blood oh you were not at your desk for 10 minutes where were you I saw you that you were drinking coffee for more than 20 minutes why is that that's a company culture because somehow our neuros cells

are working differently we believe that we are the most important person in the company owner is coming and personally saying good morning to me in the morning that's not going to happen unless and until you are making a lot of money for the owner now the next one over here we have corporate on business only sole purpose is the business now we have different types of teams over here on-site remote and hybrid when a employee is working from home how would you ensure that they are not using the laptop for the personal use if you're installing any software and you're not getting their personal consent you putting the entire liability at risk you have to make sure your employee

aware about what information are you collecting the definition of authentication and authorization is not just limited to have a critical password or single sign on or a password management software it's all about the information you are asking to your employee then after we have corporate on single use a specific task my role is to provide a technical support to a specific company that's the only application I can use I I'm not allowed to use VPN so that's another critical statement some of the employees they got a job now they want to move to a country which is cheaper enable the VPN nobody knows where you are what you are doing company is not going to travel

with you all the time 24 into 7 now the best option we have a background as well we can change it we can turn Edmonton into Vancouver Vancouver into Toronto who knows where we are so coid changed the perspective as well and moreover the people how they are thinking and how they are perceiving the information over the given period of time ethics matter an ethical workplace ethical workplace according in to me ethical workplace is the place where people are listening my thoughts they are believing in me they they listen to me if company's not listening to me doesn't matter who whomsoever they are that place is not ethical to me it's not about people are respecting one of the

major doubt people have when they call someone a family member at work have you ever listened a family member can fire or rehire someone but it happened so your place your workplace is a place where you go you donate your eight hours a day in return you got mortgage utility bill food bill kids outing or maybe a sightseeing if we have time in this life now why ethics matter every company may have their mission Vision value statement and goals written on their website do they really follow do they really follow I mean the most important person who can give a feedback to us is we as an individual if we are sitting alone the company we are working we can easily

provide a critics as well whether the company listen to me or not there are two two different types of people you can see in company one those who work very hard and one those who wait for 5:00 p.m. we want to go

home now some of the ethical concerns we have at bring your own device data protection companies are struggling they don't want you to open their critical data on your personal machine which your kid or your another family member will use later on to to play games or maybe they will submit that critical data as a school project who knows then after employee may not adhere to corporate security policies policies procedures are important because if we can look into ISO 27,000 as well we have technical controls physical controls and managerial controls managerial controls are critical at work you can set up the policies but can you set up a policies at home you're working for the company at home and when

you are working from home your employee believes that you're free they can call you at any time and suddenly work from home turned into a babysitting job you have a baby in one hand you're working as well or maybe a cat or a dog or anyone so you have to take care two people at at the same time so in bring your own device the main ethical concern over here is the data security there are three ways you can skew your data either you have external hard drive you can skew your data in your laptop or you can have data on the cloud as well one type of data which is also critical in bring you around device data

archive the data which I don't need it right now but I may need it in the future the timeline of data is very important then after we have choose your own device decisions about approved devices should be fear and unbiased it has to be a part of a policy and this is very

important

I think it's a bring you around device

issue

okay so the next one we have choose your own device device so in choose your own device make sure your employes understand the policies which devices are allowed which operating system they can work are they allowed to install VPN are they allowed to install any other software so for example employee expectation that's a part of people and culture Department in any company my expectation is that I should have MacBook latest one M2 Chip $4,000 $5,000 device one one tbte solid state drive because imagination has no limit we can imagine that maybe next minute we are in Switzerland so same kind of expectation your employee has it from you as well so make sure that you have mentioned

everything in the policy and that's also a part of a onboarding process as well in choose your own device to make sure if your company has a separate policy for bring your own device as well I can choose my own device I think that's the best device I can work on then after we have ethical concern personally enabled devices extensive monitoring that is very important because as I have mentioned before you should avoid this device because employee will definitely install a software where they can capture each and every moment you are working on that particular device so you are now criticizing your employee as well that you told me that I can work my personal work over there but

your personal work is not working on Facebook or on LinkedIn you have signed the policy and that should be one of the reason that we can fire you and take a legal action as well now over here employ employe using personally enabled devices have a right to privacy in their personal activities as well so that is one of the reason people would not prefer or cyber security employees to go with personally enabled devices because they have to take care of two different policies personal policies and the company policies then after negatively impact employee job satisfaction I have given a device which I can only use which company can tell me so in that particular case I have to

make sure that I'm not going to do anything wrong this is my first job in cyber security and I don't know I never heard about it because most of the colleges and the universities in Canada they are giving theoretical information and I need practical hands-on experience I'm pretty new in this company and I don't have any idea and now company is putting all these policies on me I have to read the policies then after this kind of device restrict users to specific task so for example my company give me a Microsoft 365 account but that account I cannot enable on this particular device because this device is special that means I need to have another device if I

have an important phone call important message on the teams or Microsoft 365 email I need to check so you have to make sure that you understand the company policy and the device which you are going to use in all these five devices two case studies next 10 minutes then we will have QA session first case study from Kuwait University this this is pretty much interesting so they have used quasi experimental research design where they evaluate the people those who are bringing their own device at the University or the ones those who are using college or a university uh device as well they realize that the people those who are bringing their own device they are much more familiar and they can

easily increase their productivity because they're working on their device and data security college or a university doesn't have to provide a separate email to them because they're bringing their device even though if you can search on Google as well Northern Alberta Institute of Technology bring your own device you can find an article I think they have published last month that Northern Alberta Institute of Technology they are telling student that you have to bring your own device now students are saying that we are paying this much amount of fee and we have to buy our own device as well and we need to bring it but that's the policy so now students they have to read

the policy before they will join any college or a university because data privacy is not just a college task it's an individual task as well it's your responsibility because you are sharing your data with the college so what are the findings over here bring your own device intervention had a statistically significant positive effect on student learning and achievement I don't have to go through saving my document opening my Microsoft 365 account forget to log out so many other things happen but if I have my own device I know that my data is safe my data is on in on my computer there are many people in this world they they never change their Microsoft 365

password you can ask yourself when was the last time or I can ask myself when was the last time we have changeed our Microsoft 365 or Gmail password and how many times we have opened the same same account on a different devices on different people laptop my neighbor my friend or anyone's laptop was I able to log out or I just say okay she is he is or she is my best friend no worries I know them and they are not going to steal anything now this is the case if you are in the security industry in cyber security what about if you are non-technical and you have never seen a laptop before you are looking for some

help to send an email to your best friend back in Asia back in Africa or any other subcontinent you're happy because you send an email but that email account could be a potential hacking tool as well for someone who is pretty good in Social Engineering they can use as a email fishing tool as a wishing tool smishing tool smear fishing tool so this is very important in cyber security whom you can trust the only person you can trust is you because many companies they have enabled even though Kuwait University as well Security First model now ciso is the Limelight in the company ciso is not something we are asking at the end so he will take the

decision he will understand the policies adhere all the policies and make sure the user aware as well those who are working in the company NeXT case study over here mobility and Security in the new way of working employee satisfaction the name suggests choose your own device so I have full 100% privilege to choose my device so a majority believe their performance would improve when given the ability to choose a device of their own let's say company gave me a device Mac operating system MacBook I have never used Macbook before I don't know copy paste is different on MacBook I'm struggling I went to technical support team I'm not a technical member in a team I'm a let's say marketing

professional or an accountant now I asked them you know my keyboard is not working on MacBook I send a ticket even though I escalate this this issue as well to many other team members as well you know company systems are not working during the lunch discussion as well so rumor is about that this guy just joined the company and telling that the $4,000 MacBook we have given to him the keyboard is not working and Company finally realized that what they have seen in the resume and what they can see now is totally a North Pole and South Pole there is no collaboration so you cannot tell a cyber security company I'm not good with MacBook uh

please give me a Windows otherwise I'm not going to work it's your choice but in choose your own device company has to listen to you because they're giving you this Authority and over there in this particular uh study as well they they have taken one two Dutch companies one Finnish company and one US based company they find out that 52% employees believe that they're performance improved when they have given a choice to choose their own device then after there are few Solutions over here we have employe training that's a cyber security awareness training or user awareness training big market for this industry as well this particular domain in cyber security then after data security to make sure how are

we allowed to store our data are you allowed to store company's data on your personal device again it drop down to which device are you going to use then legal compliance it includes you can start with HIPPA you can go with gdpr you can go with Privacy Act you can go with pipeda you can go with sepa consumer privacy protection act you can go with sarban Oxley act you can go with can spam act so all these act it also depends the industry you are representing in cyber security and make sure you understand the compliance part as well if you're not in a technical part of a team there is a onboarding session and usually we tell our best

friend to do my on boarding session because I'm busy they click click click next next next 100 out of 100 we send our certificate to the company and we we are done but that part on boarding part is very important to understand what company is offering to you OV excitement sometimes lead to no job in cyber security because we need to understand the policies now at the end we have a QA session any one of you the device which you like it let's start with with this part the device which you like it and why I don't have any million dollars in my pocket so you can feel free to answer anything yes so device which you like

anyone so I can go back and I can highlight uh that slide as well where we have all the devices this one so currently I have a uh corporate owned uh personally enabled machine and I like it cuz I can quick check my emails but I try and avoid checking emails cuz I know they could get searched if like potentially the company got into a legal thing but I like the flexibility of it so no definitely thank you so much and over here they sometimes have a software as well to see how long you are productive out of 8 hours you're working on the company's documents and the company's work so you make sure like they don't

have this software enabled in the machine hi thanks for this um I'm looking at this list and I'm realizing that my employer uses them all in a way um and and and that's not bad I think we consciously use a combination of all of them for example um uh staff can um choose their own um mobile phone uh or use their own mobile phone if they don't like anything on the list yeah that's for example um our our corporate laptops uh were quite liberal with um personal use you know there's sort of a zero trust kind of model um but uh also since I work for a a consulting firm we do work for clients and often to meet

client requirements we we end up with uh corporate owned business only machines in some cases for some staff and corporate owned single use as well right in fact some of the security incidents that we deal with is when some of our staff have violated uh the single use policy single use policy yeah anyway thank you so much thank you so much for your answer and what what I understood that uh there's a segmentation in in the company as well they use hybrid model so they categorize the People based on their designation based on their role and the categorization of all the stakeholders within the company so they can see like whom we can allow which device thank you

so much any yes please so one aspect uh I'm going to mention here is about work life balance I have uh corporate owned personally enabled devices including this one here but I never use my corporate devices for personal stuff and that helps me focus on work when I'm at work and play when I'm on play and not swearing when I'm at work and being relaxing when I'm on my other computer and that way I never have to worry about the whole aspect of of leakage between those two worlds and as you go on in your career the home life balance separation becomes important so I'd recommend if you are given a corporately owned personal device don't

use it for personal stuff yes uh I think I think that's a that's a good point and one more thing in that if you are the business owner then might be you are going with a corporate on personally enabled device as well so any anyone else any any comments okay I think uh thank you so much oh yes there there is a

question yeah thank you for this presentation uh so my question is just about the you mention so much about corporate policies that employee needs to sign during the home boarding process and from my experience and from my understanding most organization actually used to beod policies I've never seen any policies as mentioned cobu cob so are you kind of recommending uh as a cyber security professional and in reviewing and designing policy for the organization do you say we should start including these uh aspect or types of devices into our corporate policies as well so that employees can understand what they are getting into before they get those uh devices definitely a good question so I would say like when a company design a

mobile device policy they can start including all these abbreviations as well so people can understand what does it mean they can aware the user as well because at the end of the day uh people are the most vulnerable thing in the company not the password they are the weakest link in the company so you have to make sure your people are trustworthy and they understand all the policies as well definitely we can design a policy and a mobile device policy including each of these items there is one thing I did not mention over here that choose your own technology that is also so choose your own technology so there are multiple other abbreviations as well

I did not mention to make it little bit boring as well so choose your own technology that people bring their own technology as well they believe that we are more comfortable let's say instead of using Whatsapp that's not a good example but small medium businesses they use WhatsApp as well it's free so instead of WhatsApp they they they say okay we are more comfortable with tegram or signal so this is the technology I can bring or something I have developed by my own and I can bring that technology as well in the company so but definitely we can design a mobile device policy including all these abbreviations to to make sure a employee they understand within the company and one

more thing I would recommend to include in the onboarding process as well this is very important it's not like you are sending them a paper via email or they can access online it has to be a part of a onboarding process so another question I have is um so because of the challenge we have uh to be able to ensure compliance with organization policy as regards BYOD and what have you um we've had to rely on the system control by introducing uh MDM you know Solutions like aure hint tun and over time realize that we have some ethical challenge as regards you know users employees complaining about how am I so sure that you don't have access to my private

data especially when it comes to Bod right and from your experience what are the ethical Challenge and what would you advise in terms of um how to handle such situations in terms for employees so one of the thing over here that we have a lot of access to the remote servers as well where we have a lot of data we should not try to download the documents and start saving in our personal Dev device especially bring you around device case policy because that can raise an issue of a data Integrity as well confidentiality as well I can easily send that data to somebody else which I don't know or maybe one of my family member when I say bring your own

device my my device may be used by 10 family members at home I'm not declaring this thing to the company I'm not telling them I just told them that this is my own device right and very few people they they introduce the uh bit Locker they introduce the guest users as well but it's all about technical so we are we have a major challenge the major ethical concern if I can say in one word the users those who are not technical that is the ethical concern in the mobile device policy because you have to teach them you have to make sure they they can understand the process they can understand the challenges before they will choose their own device

or company device or bring their own device any any other comments okay so thank you so much for listening to me and spending your quality time over here and precious time and thank you so much and feel free to connect with me on LinkedIn if I have your LinkedIn account I can send you the request I have over 28,000 connections on LinkedIn uh connected in almost uh few cyber security companies here in admon as well so my passion I teach cyber security handson practical cyber security I can turn any laptop in a blue team and a red team exercise in less than 30 minutes give it to the student give the Practical handson material now

you can work on it so few of my students even in the Canadian Market as well their job what they were doing before before they have joined my class someone is a truck driver plumber Carpenter I'm not saying that it's a low level or a high level job job is a job right but they they have decided after coid that they are more close to their family they want to do something which they can work from anywhere and that is the beauty of Information Technology you can work from anywhere you don't have to be in the office you don't have to go for hybrid there are lots of American companies they hire remote jobs remote employees

from Canada so that's little about me and thank you so much again for listening to me and joining this presentation