Bring Your Own Device (BYOD) programs remain both a major opportunity and challenge for enterprises. It is possible to capitalize on the benefits of BYOD without adding significant risk by following the right approach to identifying BYOD risk and developing an effective BYOD policy.
This blog will focus on relevant considerations in adopting and/or maintaining a Bring Your Own Device program, and also include comments regarding cases that highlight recent challenges as they relate to discoverable data on personal devices.
If your company allows employees to bring their own computing devices to work – whether they are smartphones, tablets, or laptops – you need a BYOD security policy. Today, smartphones and tablets have proliferated in the consumer market to the point that nearly every employee comes to work with their own internet-connected device. This means higher potential for an employee introducing security risks to your company.
BYOD – Need to Address Security Challenges
BYOD security is often a challenge for organizations since an effective policy requires some form of control over smartphones, tablets, and laptops not owned by the company.
Adopting a BYOD policy will yield reduced hardware and software costs, but will also place additional responsibilities on IT departments to ensure devices, and the overall practice, do not introduce unnecessary vulnerabilities to the company network and data. Security concerns are the most common reason for ruling out the prospect of adopting a BYOD policy.
While 95% of organizations allow the use of employee-owned devices in the workplace, two out of three employees use personal devices at work regardless of the company’s BYOD policy. This means some employees are using personal devices to access company networks even if the practice is forbidden. Companies who choose to ignore the likely use of personal devices are ignoring what could be a serious security risk.
Employers have two options: either embrace BYOD by enacting policies and security measures to make the practice a safer one, or prohibit BYOD entirely and find a way to enforce it.
Next Steps to Creating a BYOD Policy
Should you choose to embrace the use of personal devices to conduct work, the first step is to gain stakeholder and employee buy-in. Blindly creating policies based solely on the company’s interests can backfire. Policies that are too restrictive or fail to offer support for the right devices will lead to a lack of participation by employees, ultimately wasting company resources invested in creating the policies.
Defining a BYOD security policy is a critical step in maintaining company security when employees bring personal devices to the workplace. Below are a few essential elements of a BYOD policy:
Detail applications & assets employees are permitted to access from personal devices.
Clarify minimum required security controls for devices.
Outline a service policy for BYOD devices including available support from IT.
Outline the ownership of apps and data, the reimbursement process, and permitted or prohibited apps.
Explain procedures that must be followed when an employee separates from the company.
Disclose risks, liabilities, and disclaimers in a written BYOD policy.
A strong policy that leverages technology to better secure employee-owned devices is vital to ensuring proper BYOD use in an organization. Below are a number of components universal to most policies:
Password Provisions – Most organizations require strong passwords on mobile devices and computers. Some enact regular password changes every 30 or 90 days, and consider 2-factor authentication for applications and programs.
Privacy Provisions – Your BYOD policy needs to address how you protect data while ensuring employees’ privacy.
Data Transfer Provisions – Data should be encrypted, password protected and only transferred on company mandated applications.
Proper Maintenance/Updates – Keeping devices and applications patched and up-to-date is a major part of overall digital security.
Common Sense Provisions – Technology is indifferent but people have bad habits. Work selfies and short “vlogs” may occur even when prohibited. Common-sense rules include things like:
No device use while driving
Limit personal calls while at work
Do not take videos without coworker permission (in acceptable areas like break rooms)
Approved Applications – Without a list of approved programs, your team may establish their own apps to use.
Upon Termination – Organizations are obliged to ensure all data is removed from devices and permissions removed from company applications, so having a clear set of procedures for employee terminations is very important.
Data Wipe Procedures – The complexity of wiping data from an employee’s phone, tablet, or computer is enough to make businesses provide all devices to employees so documenting the steps should be clearly laid out.
Accountability Provisions – Your policy should describe in detail how accountability is tracked, measured, and enforced. Every member of the team should understand not only how devices are to be used, but also the consequences of failing to keep company data safe.
Evaluate Your Technology Capabilities
Lack of oversight is one of the most common concerns surrounding BYOD implementation. Companies implementing BYOD policies need to have adequate IT staff to set up employees and provide ongoing support and monitoring. Companies should implement measures and procedures for verifying installation of security solutions on all devices, and also create protocols for identifying and enforcing policies related to the risk evaluation of various apps. Finally, if reimbursement is included in the BYOD policy, budgetary issues should be considered with appropriate resources allocated for this purpose.
The ideal BYOD security solution is one that encompasses several or all elements previously described, and facilitates a comprehensive mobile security strategy. Below are short descriptions of various security measures that may be used as part of a comprehensive BYOD security program.
Encryption for data at rest and in transit – This encryption ensures sensitive files are protected in a worst-case scenario such as a stolen device or data interception over an unsecure network.
Application installation control – There are some controls available with certain devices and operating systems that IT can utilize to exert control. However, restricting an employee’s ability to download or install applications on personal devices isn’t a practical solution since employees expect the ability to use personal devices when not conducting business.
Mobile device management – Mobile device management (MDM) solutions offer a balance between total control for employers and total freedom for employees, offering the ability to deploy, secure, and integrate devices into a network and then monitor and manage those devices centrally.
Containerization – Containerization is increasingly being offered in conjunction with MDM solutions. Containerization is a method by which a portion of a device can be segregated into its own protected bubble, protected by a separate password and regulated by a separate set of policies from the remainder of the apps and content on the device.
Blacklisting – Blacklisting is a method some companies use to restrict employee access to apps that pose a risk to enterprise security or can hinder productivity, such as games or social networking apps. Blacklisting is not often used for BYOD as the process means controlling access to applications on employees’ personal devices during work and off-hours.
Whitelisting – Whitelisting is the opposite of blacklisting and often considered a more effective process.
Other Measures – There are a variety of other security processes that can be used in a comprehensive BYOD security program such as installing antivirus software on individual devices.
The bottom line is that BYOD security, like enterprise security, requires a multi-faceted approach that addresses the potential risks while minimizing intrusions on employee privacy and usability when it comes to personal use. Enterprises that embrace these solutions capitalize on the benefits and reap the rewards while effectively mitigating security risks.
Recent Cases Involving BYOD
Judge J. Michelle Childs, of the U.S. Court of Appeals for the D.C. Circuit, recently noted that BYOD policies have been increasingly at the center of new litigation that involve challenges surrounding the comingling of personal and business data on employee devices. Ultimately, Judge Childs stated that an employer with a BYOD policy “does not legally control personal text messages…when the policy does not assert employer ownership over the texts and [then] the employer cannot legally demand access to the texts.”
U.S. Magistrate Judge Katharine H. Parker of the Southern District of New York separately highlighted it is important to “understand if there is a BYOD policy, and what does that policy allow the employer to do in terms of retrieving data.” She added, “sometimes all the business data on the phone will be saved on the business system…but in some cases what we’re seeing now is employees avoid companies’ systems on purpose and have business conversations on the device outside the control of the company.” This, she noted, has and will continue to cause challenges since conversations that fall outside the scope of BYOD could lead to the issuance of subpoenas to get that information.
Scott Milner, co-leader of Morgan, Lewis & Bockius’ eData practice, added his comments noting it will be interesting to see how recent BYOD cases evolve post-“Monaco Memo” from the Department of Justice, which raised expectations for companies to retain and disclose employee personal device data. If anything, recent cases and the DOJ’s focus on personal devices “highlight the importance of a very well-defined BYOD policy,” said U.S. Magistrate Judge Gary R. Jones of the Northern District of Florida.
The rise in cyber threats, increased focus on privacy regulations, and the evolving handling of personal device data by courts render it critical to establish cyber and information management policies that implement new security standards, in particular for companies that adopt BYOD programs.