As every IT professional in the world knows, the Bring Your Own Device (BYOD) movement that began with the first iPhone introduced a number of immediate security challenges to enterprise data and networks.
Suddenly, employees were using their own smartphones (and, a few years later, tablets) to access and store enterprise data. They were using the mobile apps of their choice, often downloading them from sketchy third-party sites. And they were going “rogue,” using personal clouds and other technologies to store work files and apps without informing IT.
Many enterprises initially resisted BYOD because of security and cost concerns, but the boost in productivity and morale became too obvious to ignore. Thus, enterprises accommodated BYOD by devising sets of usage policies and guidelines they would require employees to acknowledge and sign.
And this solved all the security and privacy concerns, right? Not quite.
As John Hopkins, an attorney with the law firm Searcy Denney Scarola Barnhart & Shipley, writes on JD Supra Business Advisor website:
“Some believe that most of, if not all, the problems brought by BYOD can be handled through confidentiality and consent agreements. The truth is those rely on the conduct of the employee and the extent to which the employee is willing to (or remembers to) comply. In addition, the consent issue may provide the right, but the responsibility for monitoring compliance and follow through is still the corporation’s.”
It’s an old dilemma for IT: You can lead a horse to water, but you can’t make it use two-factor authentication. While the point of Hopkins’ post is to discuss the legal ramifications of discovery in cases where enterprises are sued and there was relevant data on employee (or former employee) personal devices, he makes another point directly relevant to the reality of BYOD policies:
“Bring your own device is the formal policy. The informal policy happens in the companies who allow their employees to carry data to and from home, on trips, store to the cloud and access data from their home personal computers.”
Enterprise IT must rely on several approaches to increase the security of BYOD devices.
First, make sure you have clearly defined BYOD policies, because what might seem clear to you could be vague or convoluted to employees.
Second, keep informing and educating employees about the importance of mobile security, particularly during the initial training process. Making security as much a part of mobile usage as the productivity benefits could instill better habits in some employees.
Finally, insist on installing remote lock and wipe functionality on employee devices in the event they are lost or stolen (the devices, not the employees).
It’s a thankless, endless task. But IT security pros already knew that.