Margaret Horan of Lexmark’s Perceptive Software tackles one of the newest challenges in the workplace: BYOD (Bring Your Own Device), as employees are increasingly bringing their own smartphones, tablets PCs and USB drives into the workplace and then accessing the corporate network with them. If these mobile devices become lost or stolen, significant security breaches can occur. As Horan writes:
As the functionality of smart phones and tablets continues to grow, the BYOD (bring your own device) trend is booming. If you don’t already have a policy regulating how employees can use their personal mobile devices on your corporate network, you should be considering one. Even companies that have had policies in place for several years are re-evaluating them because of the growing number of employees who want to use their own mobile devices for work-related tasks… and the growing concern about the risk that such access presents.
How big is the risk?
Thirty-nine percent of companies have experienced a security breach due to employees using unauthorized devices, according to a recent British Telecom survey of 2,000 enterprises in 11 countries.
And the financial consequences are significant. The Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices, conducted a study of 51 corporations that had suffered data breaches. The study, which was released in 2011, calculated the cost of data breaches resulting from lost or stolen mobile devices, including smart phones, tablets and USB drives. Using both direct (hard costs) and indirect (e.g., lost customers) expenses incurred because of the breaches, the cost per record totaled $258. That’s not per breach – that’s per record breached.
More bad news: It’s not easy to develop and enforce an effective BYOD policy, nor is it cheap in terms of time and resources. The expertise needed to design such a plan cuts across a range of areas, including network security, risk management and application development. In addition, onboarding and supporting devices are time-consuming tasks that take away technical resources from other key projects.
Why do organizations allow BYOD? Perhaps because employees using their mobile devices can boost efficiency and allow organizations more freedom and flexibility in how people do their jobs. In addition, there is considerable pressure to allow BYOD from employees because the usage of mobile technology has followed a different path than other technologies. Smart phones and tablets were adopted by consumers first and then by businesses. In the past, it’s been the other way around. In effect, organizations have had little choice but to follow where their employees were leading them.
The need to protect data and sensitive information, yet keep employees productive and happy leaves companies somewhere between the proverbial rock and hard place. Mobile device usage is too widespread to try banning them from the work place, but the risks of unmanaged access are too great to ignore. Fortunately, as the trend to integrating employee-owned devices into corporate networks grows, so has the number of mobile device management (MDM) solutions that will allow organizations to manage the process more easily and mitigate the risks of data breaches.
But even with more robust MDM technology, it’s important that organizations lay a strategic foundation for their BYOD policies to be sure the implementation fits their specific needs and resources. Here are three strategies that can make implementing and enforcing your BYOD policy easier.
Just say “no” to some apps and devices.
IBM made big news in May 2012 when the company disabled public file-transfer programs such Apple’s iCloud and Dropbox, and turned off Siri, the voice-activated personal assistant on iPhones, as well as other applications from employee-owned mobile devices used to access IBM’s network. According to Brian Bergstein, deputy editor of MIT’s Technology Review, IBM is taking back some of the control it had when company-issued BlackBerrys were the only mobile devices it allowed.
“IBM doesn’t control Dropbox. It’s not that IBM thinks Dropbox is up to no good, but it doesn’t want to take the chance that someone will hack into your Dropbox account and see sensitive corporate information,” Bergstein said in a recent interview on WBUR, Boston’s public radio station.
“Same thing with Siri…. Your queries are sent off to the cloud – a remote data center – and that information is stored… and out of the control of a company like IBM.”
In the not-too-distant future, according to Weinberg, IT departments will be able to turn off certain elements of applications that might jeopardize security, while allowing an employee to, for example, still view personal photos uploaded to the service. This move toward “containerization” will allow the best of both worlds: mitigation of security risks for organizations and the convenience of one smart phone for work and personal use for employees.
In the meantime, however, companies need to decide which applications and devices are too risky to allow. And employees will have to decide if they can balance the restrictions with the advantages of mobile access from their smart phone or tablet.
Decide who really needs mobile access to your corporate network.
Not everyone in your organization needs to use his or her smart phone for work. Hourly employees who seldom work remotely, staff members whose jobs entail structured tasks that don’t require a lot of collaboration or whose roles are not customer-facing can get by without it. At the very least, you can restrict mobile access to the must-haves in the first phase of your BYOD policy. The nice-to-haves can wait for phase two.
Restricting your BYOD policy will conserve IT resources for other uses. Rolling out your policy in stages will point out any weaknesses before you implement it for one and all. Because as the recent actions of IBM have shown, even large, tech-savvy companies with extensive IT resources are having problems with BYOD.
Hold regular training on your BYOD policy and the security risks mobile devices pose.
Even the most comprehensive policy will be rendered useless if employees don’t understand it or know how their mobile device usage can jeopardize corporate security. IBM surveyed several hundred employees about their mobile devices and found that many had no idea which mobile apps might constitute security risks. It was discovered that many were forwarding company email to public Web mail services and using public Wi-Fi, making data easily accessible to any curious individual with a few free software tools.
Training should be mandatory and cover any updates to your policy, as well as reminders of existing rules regarding mobile access. Because even though employees have good intentions of complying with security measures, they often get lax over time. Reinforce that the rules are based on real threats to your organization. A higher level of appreciation of the risks (coupled with the knowledge that a breach can result in a remote wipe that deletes everything on their phones) can make it easier to tolerate power-on passwords and regular scans for unauthorized access points.
Because, after all, it should be the individual’s choice: Live with (and understand) the restrictions or do without mobile access.