For the London Free Press – April 30, 2012 – Read this on Canoe
BYOD, or bring your own device, is a hot topic. It refers to the trend for employees wanting to use their own smartphones or tablets for work purposes, rather than the ones their employer provides.
Why would an employee want to use his or her own device? It might be a better or more familiar device than their employer provides. Or they might not want to carry two phones. Or their employer might not provide phones or tablets at all.
BYOD can cause headaches for IT departments. It’s much harder to deal with many different types and configurations of devices in the workplace than one specific device or configuration approved by and owned by the employer.
This is a trend that can’t be stopped, and can have advantages to the employer. BYOD raises legal issues that need to be considered as well.
For example, employers usually have technology use policies that allow them to look at whatever an employee does on his work computer or device, even if the employee uses it for some personal use.
The goal is to be able to monitor and deal with improper employee behaviour, such as wasting excessive amounts of time surfing the net, or violating privacy, confidentiality, laws or corporate policies.
But those policies usually justify monitoring based on the notion that the equipment is owned by the employer. Those policies should be expanded to try to include BYOD devices.
It’s unclear to some extent how effective that will be if the issue gets into court, as there are issues of personal privacy connected with employer monitoring of a personal device. But there should at least be an attempt to address the situation and provide a plausible argument for monitoring in certain situations.
Another issue is how to ensure the privacy and security of employer data on a BYOD device. Businesses must keep personal information secure, and need to keep other information secure for various confidentiality and business reasons.
That is easier to do on a smartphone, for example, that the IT department has configured and locked down to require password access, or to encrypt sensitive information, or to allow it to remote lock or wipe the device if it’s lost or stolen.
That becomes more of a challenge when dealing with BYOD. Technology use and security policies should be looked at in light of this. Should, for example, users be only allowed to use a BYOD device if it has a screen lock?
Another approach is to set up systems so that as much as possible remains in the cloud or company-controlled servers, with proper access security. That way, if a device is lost or stolen, the data is not on the device itself.
Access must be simple and easy, though. Otherwise employees will just ignore corporate policy, and will resort to faster and easier ways to get what they want on the device, such as dragging files into Dropbox, or e-mailing them to a personal email account.
David, you raise some interesting points regarding BYOD.
Privacy and security of corporate data, whether it’s on a laptop, smartphone, tablet or stored in a cloud data storage service such as DropBox should be a significant concern of all firms.
However, “corporate policies” are insufficient controls over corporate data. A recent survey published by Cisco presents some very sobering information for those in IT and management hoping that policies will protect data. Cisco found that 8/10 new hires and recent graduates (the survey sample) admitted to knowingly ignoring corporate policies regarding data security, and 4/5 believed it was not their responsibility to protect corporate assets.
So much for reliance on policies to protect your data and your company from harm.
The Cisco report can be found here:
http://www.cisco.com/en/US/netsol/ns1120/index.html?CAMPAIGN=ccwtr&COUNTRY_SITE=us&POSITION=newsletter&REFERRING_SITE=cisco+newsroom&CREATIVE=newsletter
It is my experience that most employees bypass company systems to use “personal” cloud storage systems such as DropBox. DropBox is a quality service, but is completely outside the domain of IT, and hence a risk. With DropBox, users can share data with people outside the corporate domain, and again, this is a significant risk. The other issue with DropBox is that the data is stored on Amazon Web Services in the US. Patriot Act anyone?
IT must consider ways to separate “personal” from “corporate” on user owned devices, and provide efficient tools to store, access and share data within the confines of the IT controlled domain. Other wise, users will continue to ignore corporate policies and tools in an effort to become more productive. “Policy” isn’t enough.
I find this discussion very interesting. I believe David has the right idea — although I would suggest that forcing any device connecting to a network to only have a screen saver password will not fly. Would this apply to a consultant or just an employee? Would it apply to all employees or just a certain level of employee? I have my passwords and access to all my systems (that are not owned by my employer) secured — and it is none of their business — full stop. If you want access ask and they can decide. If they refuse and you feel it is in your right go to court.
What I find silly about this is that companies go to great lengths to lock down desktops, block URLs from the internet all with good intentions. Yet if a bad person really want to steal data, a simple USB key, iphone with a camera, or simple steganography will solve the problem — completely undetected. At the end of the day, you have to trust someone somewhere and sometime, trust your hiring process, and have consequences for those that breech policy.
-mike