Risk Management Strategy – Bring Your Own Device (BYOD)

Definition of BYOD and Associated Cyber Security Issues

Bring Your Own Device (BYOD) refers to the practice of allowing staff, students, and contractors to connect personal devices—such as smartphones, tablets, and laptops—to the CATS network or systems. While this provides flexibility, increased productivity, and improved learning engagement, it introduces serious cybersecurity concerns.

BYOD devices are often outside the direct control of IT, meaning they may not follow standard hardening procedures, encryption standards, or patching schedules. These unmanaged devices could bypass perimeter security, create shadow IT risks, or be used to exfiltrate data without detection.

Cybersecurity threats from BYOD include the introduction of malware, unapproved cloud backups, unsecured public Wi-Fi usage, and inconsistent antivirus protection. Attackers may exploit these endpoints to launch broader attacks on internal systems or harvest credentials. Physical loss or theft of a personal device also exposes sensitive organisational data stored locally or accessed through cached sessions.

For CATS, this threat landscape is particularly relevant due to its distributed campuses, varied user roles, and reliance on digital platforms like Microsoft 365. Security strategies must consider device diversity, behavioural factors, and access control, while remaining user-friendly to ensure adoption.

Incident Response Plan

The BYOD incident response plan at CATS is structured to contain, investigate, and resolve security breaches swiftly while preserving organisational integrity and user trust. The process begins with multi-layered detection: real-time alerts from firewalls or NAC tools, anomaly-based behaviour detection, or user reports.

Once an incident is confirmed, the affected device is immediately isolated from all networks using NAC policy enforcement or firewall rules. The user’s session is revoked, and access to organisational services like email, OneDrive, or learning platforms is disabled.

The IT security team then performs a forensic analysis to identify the root cause—malware, unpatched OS, jailbroken/rooted status, or data leak vectors. Threat intelligence tools may be used to trace malicious IPs or domain connections, and log correlation is conducted to assess lateral movement.

If sensitive data is believed to be compromised, the Legal and Privacy Officer is notified. A breach assessment is conducted under the NDB scheme, and notifications are prepared if serious harm is likely. Simultaneously, remediation is initiated: wiping the device (if enrolled in MDM), changing compromised credentials, and tightening user-specific permissions.

A post-incident review is conducted, with logs preserved for legal or audit purposes. Any policy gaps are addressed and documented in the incident register.

Responsibility and Escalation Roles

• ICT Service Centre: Receives initial incident reports, performs early triage, and applies basic containment using tools like device quarantine, session lockout, or user contact.
• Cybersecurity Lead Technician: Investigates the event using forensic tools, network logs, and device telemetry. Coordinates with service providers if third-party integrations are involved.
• CISO: Makes final decisions on breach classification, OAIC reporting, public communication, and resource allocation for follow-up containment.
• Legal and Privacy Officer: Assesses legal liability and ensures compliance with the Australian Privacy Principles (APP 11) regarding secure data handling.
• Campus Directors: Are notified if a BYOD breach affects large user groups or operational continuity, and may assist in communications or temporary access restrictions.

Recommended Security Technologies

A layered security model is essential to securing BYOD environments. CATS deploys a combination of endpoint and network security tools to reduce attack surface. Enrolment in Mobile Device Management (MDM) allows device-level policy enforcement, such as encryption, biometric unlock, app control, and remote wipe.

Network Access Control (NAC) segments personal devices from critical infrastructure using VLANs and context-aware access policies. Only compliant, patched, and registered devices are allowed internal access, with visitors and unmanaged endpoints restricted to isolated zones. Endpoint Detection and Response (EDR) agents provide real-time telemetry and post-breach remediation capabilities.

VPN access is mandatory when connecting remotely to sensitive services, enforcing encryption in transit. Microsoft Defender for Endpoint protects devices by scanning downloads, websites, and scripts for malicious behaviour. Web filtering and DNS protection are layered on top to stop access to known bad domains.

Multi-factor authentication (MFA) is enforced across all systems using conditional access rules, requiring a second layer of identity verification for logins, especially when coming from personal or unmanaged devices.

Cyber Security Training Program

CATS provides tailored training to equip users with the awareness necessary to safely operate in a BYOD environment. During onboarding, all users complete a security briefing that includes password hygiene, phishing recognition, safe browsing, and reporting procedures for suspicious activity.

Annual refresher training covers evolving threats such as mobile banking Trojans, cloud service impersonation, QR code phishing, and app store scams. Interactive elements—like choosing safe vs. unsafe Wi-Fi networks or detecting fake apps—are embedded to encourage active learning.

Specialised modules are available for high-risk users, such as staff with financial, HR, or IT admin access. These sessions emphasise risk ownership and digital professionalism. Posters and micro-training campaigns run quarterly across campuses, reinforcing key tips and providing updates on emerging risks.

Risk Register / Feedback / Threat Categorisation

CATS maintains a dynamic BYOD risk register, managed by the CISO’s office and reviewed quarterly. Risks are categorised by vector (e.g. malware, physical loss, app abuse), threat actor (internal vs external), and impact domain (reputation, data, financial).

Each risk is assigned an inherent risk score and residual risk score post-control. Control effectiveness is periodically reviewed based on incident outcomes, simulated breaches, and user compliance data.

Users can submit feedback anonymously through the portal regarding app restrictions, device registration issues, or emerging behaviours (e.g. students sideloading apps or using personal VPNs). These inputs inform policy tuning and threat modeling.

Strategy Evaluation and Benchmarking

• Annual maturity review: The BYOD strategy is evaluated against ACSC's Essential Eight baseline, particularly for application control, patching, and account protection.
• KPI monitoring: Training engagement, number of non-compliant devices, policy violation rates, and incident detection-to-containment time are all tracked and visualised in internal dashboards.
• External audits: Third-party audits may be scheduled every 2 years to validate compliance, provide assurance to stakeholders, and improve governance posture.
• Peer benchmarking: IT leadership compares CATS' maturity with peer institutions to identify improvement areas, especially in shared-use device management or cross-campus enforcement.

Update Mechanism

CATS has a formal review process for all cybersecurity strategies, including BYOD. The CISO oversees updates, which are triggered by annual reviews, incident learnings, legal or compliance changes, or emerging threat intelligence.

All updates are version-controlled and recorded in the Cybersecurity Governance Document Repository. Staff and students are notified of material changes through internal news posts, alerts during system logins, and updated training modules. The ICT team holds a stakeholder consultation session before major changes, especially if they affect access workflows or personal device registration policies.