In business, leaders are very often the conduit between an organization’s vision and the realization of that vision. They are charged with creating an environment that will support the team or teams within the organization to maximize innovation, productivity, and efficiencies and theoretically grow profits and market share – to live to fight another day. The focus on innovation, productivity, and efficiency has always been important, but as we recover from the 2008 recession, this focus is even more critical. Over the last five years, there has been an explosion of affordable, interactive “smart” wireless devices in the market at a price point and connectivity that provided mass appeal. Based on a recent research poll by Pew, 61% of Americans own a smartphone, and 91% of adults in the US own some form of cell phone.
The accessibility of smart devices in today’s world has greatly affected the business world on many levels. In the early days, technology such as computers, cell phones, and PDAs were the tools of business leaders who either could afford them or had the luxury of having them provided to them by their employer. Today, this is no longer the case. Not only are the devices widely available, they are inexpensive and play a critical role in how people communicate both professionally and personally. In the business world this translates into evolving expectations from customers, employers, co-workers, and vendors. These devices have become a critical business tool and in many cases with an eye toward the need for innovation, productivity, and efficiency, the use of personal devices has gained wide-spread acceptance in the workplace. On the surface this seems like a boon for business – especially small businesses – but can you afford the potential costs?
In business and in life, communication is everything. Cell phones, tablets, and computers are all communication devices, and they have become as important to the well-being of companies and employees as love, food, and – to some – the air we breathe. As important as these devices are to business, the most important asset in the technology age is the network backbone that supports all the devices. Businesses spend tens of millions of dollars to develop and protect the network backbone that is critical to the viability of the business. Risks to the network create the potential for disruption of general operations, disruption of transactional and payment operations, theft of sensitive data, legal liability, and damage to the company’s brand. Companies address those risks with protocols, software (such as antivirus, spam control, and others), and hardware to deny and detect breaches to the network. Every device connected to a network – including smartphones, tablets, and laptops – is a potential point of attack or vulnerability for a network. So why would companies allow employees to connect personal devices to the company network? Innovation, productivity, and efficiency – or better, faster, and smarter.
Since most employees already own and use smartphones, laptops, and tablets in their personal lives, they are already being brought into the workplace. This means that if allowed to connect to the business network, these employees have the ability to stay connected to the office and many times clients when they are out of the office or on vacation at no obvious additional cost to the company. More communication and collaboration with no additional cost appears to translate into higher efficiency and productivity. On the surface, most businesses are willing to accept the personal use of these devices in the workplace as a reasonable trade-off or as something unavoidable.
What is not always considered are the other, less obvious costs associated with personal devices connected to the business network:
- The cost of providing technical support for non-company issues
- The lack of security protocols activated on personal devices
- The accessibility and use of personal devices by non-employees
- The lack of control and ownership of personal devices
- The lack of accountability for the loss of personal devices containing company information
- The inability to preserve company data in a lawsuit, audit, or records request
Studies show that employees are less vigilant about their personal devices than company devices and many take more risks with “downloads” on a personal device, including games, apps, attachments, and links – all the places where malware hides. Does your company have security requirements for employees who connect their personal devices to the company network to include anti-virus software that is up-to-date, password protection that gets updated regularly, and protocols that protect company data? If an employee loses a company-owned device, are they required to report it in a certain amount of time? Most likely the answer to that question is yes. What about a personal device? Are employees required to report it at all? In the case of a lawsuit, audit, or records request, the elements of ownership and accessibility are in question. How would you address an employee who is reluctant to share data on a phone that has personal information including pictures, texts, and sensitive information?
According to a recent survey of 1600 members of LinkedIn’s Information Security Group, the top security concerns for Bring Your Own Device (BYOD) were:
- Loss of company or client data (75%)
- Unauthorized access to company data and systems (65%)
- Malware infection (47%)
As a security consulting firm that works with attorneys every day to access and preserve evidence, we know that few companies have considered all the vulnerabilities that exist in an open bring your own device (BYOD) environment. Consider for a moment companies that have experienced a security breach. How easily could this happen at your organization because of a breach through a company-owned device with insufficient security controls in place? How easily could a breach occur through a device owned by an employee who does not think security is important or who has inadequate controls in place? The costs and recovery from of a security breach in time, resources, and reputation is significant.
The first criminal charges in connection with the 2010 BP oil spill were not related to any of the acts that led to the explosion. Rather the charges were related to the failure of a BP engineer to preserve text messages related to his observations following the explosion. The engineer was charged with criminal obstruction of justice. In a lawsuit or other action, how would your company know where data is located? How would you get access to the device(s)? How would you address reluctant employees? How would you collect the data? If the personal device was lost or stolen, are your employees required to notify the company? Can the employee or employer locate, lock, or “wipe” the device remotely? How will you deal with employees who object to security measures such as tracking, “wiping” etc? When an employee leaves the company or is terminated how will you protect the business data and how will you determine what company data is still on the employees device(s)?
There are no easy answers to the dilemma, but there are steps that companies can take to protect themselves while still encouraging collaboration, productivity, and efficiency. At the most basic level, companies should approach this as they would any security vulnerability. Know what the most valuable assets to the company are (what you want to protect) and protect them with concentric layers of security or guardianship. If the company is going to allow personal devices on the network, begin with policies and procedures that include:
- Acceptable use
- User responsibilities/corporate IT responsibilities
- Network access requirements
- Types and brands of devices that are supported as well as those that are not supported
- Company’s right to monitor the appropriate use of the devices
- User’s right to privacy
- Device reset and data deletion
- Policy enforcement and consequences of violation of the policy (up to and including termination)
- Security configurations and security controls
- Application restrictions
- Acceptable use and treatment of corporate data
Encryption, management applications, and policies will make up the framework of the BYOD security protocols. Depending on the industry of the business, there may be regulatory requirements to be considered including but not limited to HIPAA, PII, FOIA, and others. There are sample BYOD policies that are available online. The federal government has provided A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs, and additional information can be found at: www.whitehouse.gov. Here you will find:
- Policy and Guidelines for Government-Provided Mobile Device Usage
- Bring Your Own Device – Policy and Rules of Behavior
- Mobile Information Technology Device Policy
- Wireless Communication Reimbursement Program
- Portable Wireless Network Access Device Policy