BYOD, or bring your own device, has become the new normal in the corporate workplace. But with this convenience comes impending security concerns for the business and data rights and privacy concerns for the user.
Although BYOD costs companies less, mobile devices are often used without proper security measures in place. This makes it difficult for employers to determine how much access employees should receive to company networks. The more access an employee has to company networks, the more opportunities for not only their personal information becoming vulnerable, but company data as well. With BYOD becoming more prevalent in the workplace, it is vital companies and employees understand the perks and security concerns that are associated with BYOD and take necessary steps to ensure personal devices and company information is protected.
For the business:
Three looming concerns of BYOD that companies and employees should be addressing are privacy, lost or stolen devices, and overall maintenance :
- Privacy. Monitoring privately-owned devices presents significant dilemmas for structuring a BYOD policy. If the company monitors too often or too much data, it can be seen as invading employee privacy–and in some jurisdictions, even as breaking the law. Yet if the company does not exercise enough control, it places the company’s data at a huge risk. Balancing these two seemingly opposing interests is the single greatest challenge to successfully implementing a BYOD program.
- Lost or stolen devices. A personal device that contains confidential company information poses a huge security threat if it is lost or stolen, and begs the question: who is responsible for retrieving the device and/or data? What is the proper response to this sort of breach? It is your personal device, with both personal and company data, so should it be locked, tracked and retrieved, or completely wiped immediately? There is no clear or correct answer, which is why companies need a clear BYOD policy and culture of security that fits both parties’ needs.
- Maintenance and malware. Frequency of device maintenance, software updates and uniformed app downloads can open the door to a slew of security vulnerabilities. Organizations have a hard-enough time implementing their own software across the corporate network, let alone ensuring all employees are adhering to the required software updates from device operating systems and applications. With the breadth of different phones and tablets being used around the globe, it can be nearly impossible to keep track of employees’ security posture on their personal devices.
For the user:
BYOD programs give you the flexibility to choose the technology that comes most naturally and can help you be more effective at work. But how can you make sure your personal data is safe from prying eyes if your employer becomes involved in litigation or in the event of your departure or dismissal?
The short answer is: You can’t. However, you can increase your odds by managing a work device separate from your personal device.
Your company’s BYOD policy might require making personal data accessible in the event of litigation or leave. In many cases, your personal data won’t be relevant to the matter, and it won’t be produced or referenced. However, if it’s intermingled with work data on your device, it may become discoverable, meaning someone in your organization—or, even worse, an adverse party—will need to examine it in the course of searching for data that is relevant.
Although the safest way to protect data is completely separating personal and work data on different devices, if you choose to use one device for both purposes, you may want to ask your personal lawyer or your employer’s lawyer some questions—remembering, of course, that your company’s lawyer represents the company, not you.
- Know your company’s policies. It’s likely your organization has multiple policies in place regarding device security for you to review. It is your responsibility to read and understand them so you can comply holistically. Company policies extend beyond BYOD, so make sure you do your homework—and stay up to date on any changes to the policies over time. Your employer may have integrated a BYOD policy with their acceptable use policy. These policies aim to protect data, and complying with both will help you and your employer avoid security risks.
- Separate personal and company data. This is where having two devices can actually simplify your life. That said, if you must use only one device for both personal and work purposes, it is best to use separate applications for work and personal data. For example, using SMS exclusively for personal exchanges and something like Slack for work can make discovery of work data simpler—hopefully reducing the need to review your personal information.
- Understand how and when device wiping happens, if at all. Under certain circumstances, a device might be subject to data deletion—meaning your company can remotely wipe all data from your device. This is most common when a device is lost or stolen, and it ensures none of your information—personal or professional—lands in the wrong hands. Your device may also be subject to this process if you leave the company. You don’t want to be caught unaware of this process in a stressful situation—you’ll have enough to worry about when you’re taking off on a flight home from a conference and realize you left your phone on the seat back in the terminal. The added surprise of having all family photos wiped from your device will be aggravating. Look for answers to the following questions to ensure you’re fully aware of these practices before disaster strikes:
- Is the data in my device subject to automatic or remote deletion?
- What events trigger automatic deletion?
- Is remote deletion part of the standard employee termination process?
- Is my approval required for the remote deletion?
- Is my personal data retained in case of automatic or remote wipe?
- Am I entitled to any reimbursement for the loss of personal data?
- Be aware of your company’s mobile device management application. A growing number of organizations are using mobile device management (MDM) applications on their employees’ devices. These programs allow an administrator to control access to certain functions of an application on a smartphone, tablet, or computer. Additionally, MDM ensures that company protocol is followed and offers employees flexibility and security when bringing their own devices.
If your device is subject to MDM governance, here are some things to consider:
- You may be responsible for installing the application on your own device. Work closely with your IT team to ensure you’re setting it up properly.
- Your company’s MDM application may be the method your employer uses to remotely wipe your device in the event it becomes compromised.
- MDM applications may monitor your information—such as location data—as you’re using the device. This is another potential reason not to use an MDM-governed device for personal purposes.
Ultimately, the decision to bring your own device to work is one that places a lot of responsibility in your hands. Ensure your work and personal data are protected not just by following your company’s minimum requirements, but also going the extra mile when it comes to device security.