Mitigating Risk in BYOD Security
For most organizations, BYOD has become common practice. Employees asked to be available after hours often still prefer to respond from their personal devices. It's a risk-laden scenario, but with numerous organizations facing the same issues, it's safe to say you're not alone. Gartner predicts that by 2017 half of all employers will require employees to supply their own device for work purposes.
It's clear that this proliferation will usher in a host of potential BYOD security, privacy and managerial challenges. So how do organizations address those issues and stay ahead of new ones before they arise? Solutions are multifaceted, but a consensus has emerged in the following areas:
Security and Data Leakage
Corporate networks can be easily breached through lapses in BYOD security, and mobile devices are increasingly designed to support apps that facilitate moving data from device to cloud and from cloud to cloud, which weakens corporate data controls. It's incumbent upon the organization as a whole to have practices in place that deal with each problem as it evolves and are also proactive, preparing for the worst should it ever happen.
Although these prevention strategies should be adopted on a company-wide level, there are plenty of things that can be done to protect the company from an HR perspective:
- Review employer/employee agreements to ensure that BYOD device usage is addressed.
- Identify consequences and training opportunities for policy violations, such as mandatory e-learning, temporary quarantining of devices or workshop attendance.
- Foster a culture of awareness around BYOD security and privacy through periodic newsletters, emails, intranet posts, etc.
- Ensure that the management team is aware of the risks, including insider threats, and has included BYOD in broader risk management.
Commingling
Personal and corporate data can become difficult to separate, especially after employee separation. Therefore, it is imperative for you to develop forward thinking directives and clear contract language to address potential problems. It's important that new employees understand their responsibilities both while employed and after they have left the company:
- Get involved early with the discussions assessing whether the organization is best served by BYOD or CYOD, even if the choice may be role-dependent.
- Ensure that security, privacy and intellectual property concerns are addressed in agreements and employee orientation.
- Work with IT, sales, marketing and technical support to identify BYOD issues surrounding social media.
- Firmly lay out consequences to employees should they leave and disseminate, intentionally or not, proprietary company data and information.
Litigation and Financial Risk
In an interview with InsideCouncil Magazine, Symantec's Matt Nelson warned that "Mobile devices are becoming a high priority target during discovery ... If electronically stored information (ESI) such as emails, voice mails, photos and other information is not centrally available on company servers, then judges may require the preservation and discovery of that information directly from devices."
The best defense, therefore, is a good offense, which calls for HR to collaborate with IT and legal departments to develop a policy for BYOD security, data sharing, patch management, jail-breaking, support, remote wipe and e-discovery.
Policy Motivators
Ultimately, it might not fall to you to select a data loss prevention tool or to guarantee that it's installed on the devices employees use. But there is ample opportunity for you to set the tone and protocols for employee BYOD use. Although clear-cut BYOD policies will not serve to eliminate all potential problems, they will make it clear to both management and employees alike that this issue is not to be overlooked and should be handled with extreme care and attention.
