Bring Your Own Device or Disaster?

Original post here https://www.vestigeltd.com/thought-leadership/byod-can-adversely-affect-organizations-it-security/

Bring Your Own Device (BYOD) is jokingly referred to around Vestige as “Bring Your Own Disaster”.  While it offers a great opportunity to reduce costs and make employees happy, it’s still crucial to protect your organization’s data.

Growing In Popularity

BYOD had its genesis probably about 10 years ago with the advent of the iPhone.  Up until that time people had the choice of a flip phone or a Blackberry.  Many companies were outfitting their employees with Blackberries paying for the devices and the service.  With the iPhone (introduced in 2007) and even the Android (introduced in 2008) there were more choices and as a result many employees wanted that choice, wanted to be able to use their own “smart phone” vs a company issued device.  Add in there the Great Recession starting in late 2007 and companies were more than happy to introduce their own BYOD policy and let users bring their own phones, which meant cutting that line-item expense of providing one for them.

People come and go with their own phones and are more productive because they can receive business email and text while out of the office and there isn’t the extra cost for the device.  Some companies have even extended the BYOD universe to include tablets and personal laptops.  No harm, no foul, huh?  As Lee Corso would say “not so fast, my friend.”

Adverse Issues

The issue with a BYOD policy is that you have devices that are largely out of the control of the organization containing your vital information. Emails with and without important attachments, text messages and custom applications – all of this sits on phones owned by your employees.  If and when they leave, what policies or agreements to you have with the now former employee that allows your company to take control of the device for the purpose of retrieving your data or at least making sure it is misappropriated?

Let’s go beyond that issue to a potentially more serious ones.  Your network, containing all of your important information, not to mention data that may be protected by regulations, has all sorts of access points from servers to laptops to desktops.  As a company, you have control (or at least can implement) over those devices through group policies, anti-virus, etc.  But what about those BYOD devices?  Can you implement best-practice security controls over the devices?  Can you install anti-virus on those devices and monitor their activity?  Can you at the very least impose encryption on the devices so that when they are stolen or accidentally left somewhere (such as a cab or at airport security) the information and access to those devices is protected?

How can the problem be even worse?  With a BYOD policy, is your organization at least aware of all of the devices that are allowed access to your network and to your data? At Vestige, not only do we have written policies governing what devices can access the network but for those that do, specific security measures are imposed upon them.

How Best To Handle Byod

Don’t mistake this article for being a “sky is falling” on BYOD (although with the above tone, I can surely understand why you may). Introducing a BYOD policy definitely has its advantages in cost, appeasement to employees and the ability for them to stay connected when they want, or are needed to stay connected. However, with each new technology and fad, care must be taken to understand the security implications so that your organization isn’t caught blind-sided by a poorly implemented policy.

The first thing to consider is a review of the BYOD policy your company has and how your data is protected. Work with outside counsel to come up with the best plan for your company because it is not a situation of “one size fits all” (is there ever?). Things to consider are:

• What security measures are forced down on BYOD devices so that your data is protected?
• Is it made clear to employees that while they own the device the company owns its data on the device and can take certain measures with the device because of that data ownership?
• Can the company account for all BYOD devices that have its data and what data is on them?
• What is the policy regarding BYOD devices when the employee leaves the company?

Like Ben Franklin said, “An ounce of prevention is worth a pound of cure” and I’ve seen many times in the case of BYOD devices, an ounce of prevention is an ounce well spent.