The shift toward using personal computing devices (laptops, tablets, smartphones and now wearables) to conduct business seems like a win-win strategy for both the enterprise and its employees. Employees work from the comfort of their own device while employers enjoy increased productivity and reduced technology costs.
While BYOD or BYOT (bring your own technology) programs offer benefits to both companies and employees, many companies struggle to design programs that effectively protect sensitive data.
A lot of customer and employee data stored on employee-owned devices is out of reach of company systems and firewalls. Employers lose some degree of control every time an employee stores or transmits work-related information using a personal laptop, tablet or smartphone.
Besides common risks of device loss and theft, employees can unknowingly expose company data to malicious software. Jailbreaking or rooting a device removes limitations imposed by the device maker, often eliminating restrictions designed to improve security of the devices. Rooting gives device owners administrator-level permissions, enabling them to install and run apps that could be malicious in nature.
Employees can also expose corporate data by failing to apply software security updates on their devices. These known vulnerabilities can serve as a gateway to the company network.
How does privacy play out in a BYOD context
Adopting a “one size fits all” policy to govern the interference of personal and enterprise data is not realistic. Especially since privacy requirements and risks involved are diverse and revolve around the following areas:
- Privacy and data protection
- Electronic communications
- Labor law issues
- Insurance and taxes
Nonetheless, the complex legal implications of BYOD must be carefully considered. Before reaching any conclusions, three key things need to be examined:
- What type of information is involved
In a recent court case, a company remotely wiped the iPhone of a sales rep when he resigned, deleting his personal and work-related files from the company-owned device. The employee sued the company, yet the court rejected his claims, holding that the information in a cell phone is not “electronic storage” under the Electronic Communication Privacy Act (ECPA).
- Who is the owner of the device
Device ownership has significant financial, legal and IT policy implications. If the devices are employee-owned but governed by the company’s BYOD policy (rather than a tailored, stand-alone policy), the terms of the BYOD policy apply to the data.
- Who has custody over the information
If you let employees access company resources using their own mobile devices -- or if you equip employees with operational devices -- you need policies that govern how those devices are used and managed – policies for mobile device security, passwords, encryption, data classification, acceptable use, antivirus software, wireless access, incident response, remote working, privacy and others.
Company policies should clearly address ownership, custody and access rights for the information involved. Unless they do so, the liability issue will persist.
On a company-owned device, the company can determine and limit the type of devices that can be used, implement minimum system requirements and configurations, install security-related software, encrypt company data, apply security patches and monitor the use of the device to detect misuse, hacking or malware. It can also dictate how the device connects to the company’s network and obtain/access the device for an investigation (because the company owns the device).
When it comes to employee-owned personal devices, organizations will partially or fully lose the ability to undertake these actions, and will often depend on employees to secure their devices.
How to gain more control
Apart from policies, employers should consider partitioning work-related content from personal content on personal devices. Containers, dual persona and application wrappers all provide application-level protection for sets or individual, applications.
Regular checkups of potential cyber-risks are also a must.
Tools such as mobile device management (MDM) software enable corporate control over a fleet of devices. They let IT administrators troubleshoot and manage employee mobile devices remotely.
Assessing security vulnerabilities inside a network plays a crucial part in your IT security. Network vulnerability scanners can scan your network and websites for thousands of security risks, producing a prioritized list of those you should patch, describe the vulnerabilities, and outline steps to remediate them. Some can even automate the patching process.