Managing the Risks of BYOD
Imagine if an employee leaves his iPhone on a train and that device contains your company’s sensitive business data. If you allow employees to use their own devices for work, it could happen today. Your information could be leaking right now.
This is the type of situation likely to face businesses more often in the next five years. Those that hope to avoid the fallout will have to manage the risk of “bring your own device to work” (BYOD).
BYOD is not new. For many years, individuals have been finding simple ways of enhancing their own productivity by using personal devices for business purposes. Even if companies prohibit the use of personal USB memory sticks, for example, they will still be used. The same was true of floppy disks 15 years ago. If businesses do not issue company smartphones, then personal smartphones will be used to varying degrees. The next time you make a journey during rush hour, try counting the number of tablets you see; it is naive to assume that they are used solely for playing Angry Birds.
Our technological behaviors are evolving at a rate that would make Darwin proud. So whether officially endorsed or not, BYOD affects your business. Whether you love it or hate it, you have to incorporate BYOD planning into your information governance strategy, ensuring that employees know the boundaries of reasonable use and managers have the means to access information held on employee-owned devices whenever they need it.
The Risks of BYOD
We live in an age of compliance, where the number of regulatory investigations has grown significantly over the last decade. Antitrust infringements have been vigorously pursued by national and international authorities, and concerns about price-fixing have become but one battleground in a greater war against corruption. It is being driven by the economy (and austerity measures), legislation (such as the Foreign Corrupt Practices Act) and the media’s renewed focus on business ethics (especially in regards to executive compensation, tax shelters and phone hacking).
The push for compliance has had the positive effect of encouraging businesses to conduct their own internal audits. These audits have helped companies foresee exposures and cultivate a culture of compliance. Such investigations require analyzing electronic communications—and emails are not the only source of information. Increasingly, we hear about the discovery of text messages that are at best embarrassing and at worst incriminating.
By now, almost everyone knows that email and text messages can be easily retrieved and analyzed using forensic techniques. For example, technology can read the metadata of an email and draw a map to help identify the virtual X that marks the most likely spot where evidence of collusion may reside.
|The Risks of BYOD|
|Read more in our series on managing the risks of employees using their own devices for work.
Managing the Risks of BYOD
Creating a BYOD Policy
Technology Isn’t Your BYOD Problem, People Are
So to evade detection, this means that employees engaged in immoral or corrupt activity are less likely to use employer-controlled communication devices. Instead, criminals may acquire second—or even third—mobile phones or SIM cards. Or they may use instant messaging tools and social networking sites to communicate with others about their illicit deeds.
Personal devices outside the company’s watchful eyes are also perfect for stealing data. Inconspicuous gadgets such as iPods, for example, contain enormous storage capacity and have been used to steal information from business premises.
BYOD presents an opportunity for external information thieves as well—and not in the ordinary sense. Hackers have been known to drop keychain memory sticks in a company parking lot: If an employee inserts one into their computer, software infects the machine with malware that can be used to attack the company’s network and stored data.
High-tech crimes aside, there is also the risk that an employee could be carrying sensitive data on an iPad that could be lost or stolen. The individual will mourn the loss of cherished photos and music playlists—not to mention the temporary loss of contact with the outside world.
The company, however, may face much longer-lasting repercussions, especially if its data ends up in the wrong hands and constitutes a data breach. The related costs can be enormous if the firm has to notify individuals whose information was exposed, set up credit monitoring services or hire a public relations firm to manage the reputational damage.
Other related issues are caused neither by malice nor carelessness. The complexities surrounding which party owns business data stored on an employee-owned device can, in fact, be caused by workers caring deeply about their careers.
These days, a reputation takes a lot of personal investment to build (time, knowledge, money), and many ambitious employees will use their own smartphones to, for example, expand their presence on Twitter. They may be, in theory, using a company account, but by doing so through their own mobile technology, it makes it easy for them to retain possession of knowledge assets. In many cases, the contacts developed can lead to disputes over ownership of that information and those contacts.
Staying Ahead of BYOD Risk
Swedish telecom giant Ericsson has predicted that mobile phones will outnumber people within five years. In the company’s June 2012 “Traffic and Market Report,” it observed that there are now 6.2 billion mobile subscriptions but only 4.2 billion subscribers. Obviously, many employees use more than one mobile device—and the percentage of the planet’s seven billion people who use even one phone is only continuing to rise.
Faced with such daunting demographics, how can companies prepare themselves for BYOD? If you are asked to consider creating or enhancing an existing BYOD policy, there are a few things that you should know.
First, BYOD is probably already happening within your organization, so there should be guidance for employees regarding the extent of its permissible use. Even if you decide that BYOD is not allowed, you should have a policy stating exactly that and addressing the grey areas around the use of personal devices for conducting business.
The BYOD landscape is clearly a minefield of issues that legal counsel, IT and HR professionals must navigate. The task of drawing up an organizational policy is complex and should not be considered a one-off task; new products enter the market frequently and updates to local laws can have an impact on existing BYOD frameworks.
But in the age of heightened regulation and accountability, ignoring the trend is not an option. Whatever your BYOD policy looks like, you must ensure that it is relevant, up to date and clearly communicated to all employees.