Original post here https://www.vestigeltd.com/thought-leadership/byod-can-adversely-affect-organizations-it-security/
Bring Your Own Device (BYOD) is jokingly referred to around Vestige as “Bring Your Own Disaster”. While it offers a great opportunity to reduce costs and make employees happy, it’s still crucial to protect your organization’s data.
Growing In Popularity
BYOD had its genesis probably about 10 years ago with the advent of the iPhone. Up until that time people had the choice of a flip phone or a Blackberry. Many companies were outfitting their employees with Blackberries paying for the devices and the service. With the iPhone (introduced in 2007) and even the Android (introduced in 2008) there were more choices and as a result many employees wanted that choice, wanted to be able to use their own “smart phone” vs a company issued device. Add in there the Great Recession starting in late 2007 and companies were more than happy to introduce their own BYOD policy and let users bring their own phones, which meant cutting that line-item expense of providing one for them.
People come and go with their own phones and are more productive because they can receive business email and text while out of the office and there isn’t the extra cost for the device. Some companies have even extended the BYOD universe to include tablets and personal laptops. No harm, no foul, huh? As Lee Corso would say “not so fast, my friend.”
The issue with a BYOD policy is that you have devices that are largely out of the control of the organization containing your vital information. Emails with and without important attachments, text messages and custom applications – all of this sits on phones owned by your employees. If and when they leave, what policies or agreements to you have with the now former employee that allows your company to take control of the device for the purpose of retrieving your data or at least making sure it is misappropriated?
Let’s go beyond that issue to a potentially more serious ones. Your network, containing all of your important information, not to mention data that may be protected by regulations, has all sorts of access points from servers to laptops to desktops. As a company, you have control (or at least can implement) over those devices through group policies, anti-virus, etc. But what about those BYOD devices? Can you implement best-practice security controls over the devices? Can you install anti-virus on those devices and monitor their activity? Can you at the very least impose encryption on the devices so that when they are stolen or accidentally left somewhere (such as a cab or at airport security) the information and access to those devices is protected?
How can the problem be even worse? With a BYOD policy, is your organization at least aware of all of the devices that are allowed access to your network and to your data? At Vestige, not only do we have written policies governing what devices can access the network but for those that do, specific security measures are imposed upon them.
How Best To Handle Byod
Don’t mistake this article for being a “sky is falling” on BYOD (although with the above tone, I can surely understand why you may). Introducing a BYOD policy definitely has its advantages in cost, appeasement to employees and the ability for them to stay connected when they want, or are needed to stay connected. However, with each new technology and fad, care must be taken to understand the security implications so that your organization isn’t caught blind-sided by a poorly implemented policy.
The first thing to consider is a review of the BYOD policy your company has and how your data is protected. Work with outside counsel to come up with the best plan for your company because it is not a situation of “one size fits all” (is there ever?). Things to consider are:
Like Ben Franklin said, “An ounce of prevention is worth a pound of cure” and I’ve seen many times in the case of BYOD devices, an ounce of prevention is an ounce well spent.
Ready for more? Browse additional articles in Technology!