In the first installment of this post last week, we looked at the emerging BYOD (Bring your own device to work) movement and the IT community’s concerns about security. This week, in Part II of that post, we drill down on those security issues and look at what others are doing to address them.
Security concerns: The first and greatest security concern arises from the complication of retrieving confidential information and trade secrets before an employee resigns or is terminated. If an employee has copied, transferred or downloaded that information into his or her personal device, the risk that everything has not been returned, deleted or destroyed increases significantly.
The second concern is carelessness: in a widely reported story earlier this year, an Apple employee apparently left his unreleased iPhone 5 prototype at a bar, causing understandable angst within Apple.
The third concern, as we noted last Friday, is the fact that mobile devices and employees are increasingly being targeted by cyberthieves. As Symantec reports, one third of data breaches in 2010 occurred through mobile devices. A popular means of penetration is using Trojans that pose as legitimate apps, which are then uploaded to mobile app marketplaces in the hopes that an employee may download and install them into them their phones, which will then in turn allow malicious code to enter into the employer’s infrastructure. This means of attack, coupled with the target efforts at individuals because of the ability of crooks to gather information about them through social media, will only likely increase.
So what can a company do? The first step before implementing a new policy should be to find out who is accessing the company’s servers and what devices the employees are using. Until that audit is conducted, the company literally has no idea who is tapping in to its servers. Once it understands what devices are being used and by which employees, it can evaulate the type of policy that may fit its business.
Not surprisingly, the degree to which an employer imposes a personal device policy depends largely on what type of “work” the employee will be performing on his or her device. An employee’s use of his personal smartphone or laptop to access email will likely face little opposition from the employer, so long as the email is accessed through a web-based program such as Webmail. Because Webmail is Internet-based and allows the employee to access their email account from literally any computer in the world, accessing email from the employee’s personal device is of little consequence. The company already has internal security measures in place to protect the access of email on the Webmail server (through, among other things, the use of an https:// address).
Security is of greater concern, however, where the employee seeks to “tap in” to an employer’s exchange or other internal server. If not blocked, that access is easy for the employee, with even the iPhone or Droid default email program allowing access to the exchange server with just the simple input of the employee’s username and password.
Companies that elect to allow their employees to access exchange servers or other databases which house sensitive or confidential information should consider requiring those employees to download a program or application onto their device which gives the IT department the ability to monitor the employee’s use of the server and “wipe” the device should it become lost or compromised. Of course, employees may be more reluctant to allow their IT departments access to their personal devices, the same ones on which they store photos of their children, their favorite music, and applications which access personal Facebook or Twitter accounts. For personal devices, employees obviously have a greater expectation of privacy than the work-issued laptop that they might also use for personal reasons.
Marisa Viveros, a VP for Security at IBM, recently outlined the following practical steps a company and its employees can take right now to protect their work and personal data:
- Make sure you protect access to your device with a password or PIN to keep intruders out if the device is lost or stolen.
- Only download applications from well-known, trusted sites.
- Make sure you install system updates and run anti-malware as prompted.
- Back up your data on a regular basis.
- Have the ability to track your phone and remotely wipe all its data if it is stolen. You can easily find an app that will allow you to do this.
Finally, an employer who wants to err on the side of extreme caution when it comes to protecting its confidential information (including trade secrets) should either: (a) not allow employees to use personal devices for work purposes at all; or (b) require those employees to install on whatever security measures are necessary to protect the information on those personal devices. Its employees might not be happy about being given such an ultimatum, but those employers should also be prepared to offer a work-issued device to the employee if they are expected to be “available” after 5:00 p.m. If you don’t want your employees using their personal devices to access the email exchange server, then you may have no choice but to give them (and pay for a data plan for) a Blackberry or comparable device.
As they have in the past, employers and employees will eventually figure out how to balance the competing concerns of convenience and security and shape a policy that best fits that company. In the meantime, there will invariably be bumps along the road as they figure out how best to integrate these technological issues into the workplace. (A special shout-out to my colleague Phil Eckenrode, a vocal member of the BYOD community, for his hard work and assistance with this post.)