At one time, people scoffed at the idea of a personal computer in every home. Today, we not only have high-speed Internet available in our homes, but we also connect to the Internet at will with a variety of mobile devices from wherever we happen to be.
The most complete and effective defense against the risks of BYOD is to ban employees’ use of personal devices for work-related activities. However, abstinence can be a tough sell to employees, and non-compliance can be difficult to control. The smarter approach is to put a strong policy in place, educate employees about best practices and take actions that will manage the risk as much as possible.
With BYOD becoming widespread, it is important for businesses to be proactive about personal device risk management. Our hope is that this blog post will help companies chart a path for creating the most effective corporate policies and protections.
Why BYOD is a problem:
How companies benefit from BYOD?
Business thrives on increased productivity – getting more out of assets without increasing incremental costs. For most companies, their most valuable asset is their workforce, and finding a way to keep employees engaged after hours is an opportunity to increase productivity. BYOD facilitates anytime/anywhere connection with employees, encouraging them to keep in touch with communications from work and allowing them to access corporate data at any time.
Another truism is that companies that encourage teamwork and collaboration are more successful than those that do not. BYOD increases opportunities for teams to work together and communicate more clearly, without barriers of time zones or geography. Employees located around the globe are less constrained about communicating when they can ignore the eight-hour workday and reach out to their colleagues on personal devices.
The reduction in corporate cost is also another big benefit of BYOD. A May 2013 report by Gartner puts the average cost of supplying mobile computing devices at $600 annually per employee, an expensive undertaking for mid-size and large employers. This more than offsets the estimated $100 to $300 added costs for security or employee compensation for BYOD programs. While some corporations compensate some workers, at least partially, for the use of their personal device, many do not. Gartner reports that only about half of BYOD programs provide compensation, usually for the service plan rather than for the cost of the device. Only 2 percent cover all costs.
Finally, employee satisfaction, motivation and innovation are strongly linked to the ability to use their own devices. A 2012 Unisys report found that 44 percent of employees find a job offer more attractive if they know the use of their personal iPads are supported at work.
Between employee pressure and the benefits to corporations, many expect the use of BYOD to grow. Gartner predicts that by 2017, almost half of the world’s companies will no longer provide computing devices to employees, while another 40 percent will offer a choice of corporate or personal equipment. The report says the remaining 15 percent will never move to a BYOD model.
The potential dangers of BYOD
A free flow of information and round-the-clock connectivity benefits corporations in many ways, but BYOD is a mixed blessing. When corporations lack control of their data, the possibility that something will go wrong increases, as does the cost of addressing whatever has gone wrong.
For example, an employee who uses a personal tablet to work on company spreadsheets may lose the device (at just seven airports, 7,000 mobile devices were left behind during one 12-month period, according to Trustwave). The employee may upgrade to a different device without wiping clean the hard drive of the prior one, or share it with a spouse or friend who has no authorization to view the information. Among the problems this could cause:
• Businesses that are tightly regulated in terms of retaining data or keeping it private (particularly in the financial services and health care industries) are subject to fines, liability lawsuits and remediation costs when data security is breached, even if the breach occurs on an employee’s personally owned device.
• The incursion of hackers or spread of malware into the company’s database can come through public wi-fi connections used by an employee or infected applications that the employee downloads. Many employees are also lax about security, failing to update their operating systems or install effective anti-virus software on their personal devices.
• Trustwave reports that 90 percent of Android users have not updated their operating system and 37 percent have not activated their auto-lock feature. More than half of companies with a BYOD policy in place report they have experienced a mobile data breach, according to Trustwave.
A Symantec survey found that over a 12-month period, 43 percent of organizations reported malware infections from mobile devices.
• The risk that an employee sitting at a desk using a computer mouse will develop a repetitive stress injury can be managed by ergonomic best practices. But what is the liability for a company if an employee files a workers compensation claim based on an injury from the overuse of a personal device that is used for both work and pleasure? In 2012, InformationWeek reported two such claims had been made.
Other problems can occur when an employee no longer works for a company, either by voluntary or involuntary separation. The employee may forget to transfer data from the personal device to the corporate database before departing or may intentionally misuse information stored on a personal device after separation. The loss of control over their own information should be a major concern for corporations, especially those that are required by law to archive and retain information for a certain number of years.
In addition, a variety of legal complications can arise from BYOD, many of which can dramatically increase the cost of responding to lawsuits or government subpoenas. Discovery demands can be broad enough to include all devices used by employees, including their own, whether or not BYOD is allowed by corporate policy. Each device increases the amount of data to be reviewed, which drives legal bills higher.
Technology companies that provide services or products to their customers also may see increased exposure to risk when companies allow BYOD. If they provide security software that fails to block a virus or malware that infects the customer’s network through an employee’s personal device, they may face a claim for damages.
Finally, employees often are unaware of their own risk from using their personal devices. For instance, in the event of discovery demands connected to a lawsuit against their employer, all of their data – both work-related and personal – can be exposed to examination. They may also feel unduly constricted by corporate policies that forbid the downloading of unapproved applications on their personal devices, especially if they are receiving no or little compensation from the company to subsidize the cost of their device.
Strategies for managing risk
The most complete and effective defense against the risks of BYOD is to ban employee use of personal devices for work-related activities. However, abstinence can be a tough sell to employees,
and non-compliance can be difficult to control. The smarter approach is to put a strong policy in place, educate employees about best practices and take actions that will manage the risk as much as possible.
1. Policy elements – A company’s BYOD policy may include what type of devices are allowed to be used, how employees may use devices to connect to corporate networks (such as always using a secured wi-fi connection) and what applications are approved for use, including both downloadable apps and cloud-based tools. It can also set expectations, such as the company making clear it has no responsibility for lost or damaged personal devices or employee injury from misuse of a personal device. In addition, it can restrict the type of data that can be transferred to personal devices, as well as set out protocols for data synchronization and backup. Finally, it can require employees to install the latest operating system updates, corporate-designated anti-virus software, encryption software and remote data wiping capability.
2. Employee training – Employees should receive training on best practices for data security. The goal is to have them not only understand all of the elements of the corporate BYOD policy but to also realize the exposure to risk and the consequences if they fail to take the prescribed precautions. For example, few employees are aware that 87 percent of mobile applications tested had one or more security flaws, according to Trustwave, including transmitting sensitive data automatically. When training is complete, employees should know how to access corporate data from their personal devices, which applications are risky and which are safe to use, how to separate work and private data on their devices, and what types of work activities are appropriate for BYOD.
3. Risk management – Striking a balance between restrictions to protect the corporate network and the flexibility that will allow employees to use personal devices productively is key. Types of personal devices and applications should be vetted for risk so that companies can make sound decisions about approved BYOD usage. Corporate network protection should be updated with personal device use in mind, including requiring a two-step process for authentication to access the corporate system that recognizes not just the device but also the person using it. Software tools should be in place that allow remote wiping of data, scanning for malware and data leakage, and archiving of corporate data.
Protect your business financials
A Symantec survey found that the majority of companies believe the benefits of BYOD outweigh the risks – but the risks are real. More than half of the companies reported at least one mobile security incident over a 12-month period, including lost or stolen devices (60 percent), spam (60 percent), malware infections (43 percent), phishing attacks (40 percent) and exposure of confidential information (19 percent). Clearly, mitigating exposure to risk is critical.
One important tool is cyber security insurance. These specialized policies go beyond general corporate liability policies, offering specific coverage to address cyber exposures. The best policies include:
• Errors and Omissions. Coverage that protects a business that sells products and services to others when claims are made about their failure to block cyber intrusions.
• Data Breaches. Coverage that takes care of the cost of breach notification, public relations crisis management services, credit repair services, etc.
• Network Impairment. Coverage that addresses losses due to hacking, denial of service attacks and other forms of cybercrime.
Working closely with a knowledgeable insurance broker like Dmitriy Glazer at Paperless Insurance Services, Inc is the best way to identify the right cyber policy to cover the risks that a company faces.
An evolving world
As mobile devices continue to develop and adoption of BYOD becomes even more prevalent in the work world, new security features and capabilities are likely to emerge. In the meantime, businesses should assess the risk-versus-benefit status of BYOD in their corporate environment, adopt strong policies that protect them while encouraging employee productivity, and take steps to mitigate the inevitable risk that BYOD brings.
SOURCES Gartner research http://www.pcworld.com/article/2036980/half-of-companies-will-require-byod-by-2017-gartner-says.html Harris Interactive survey http://www.welivesecurity.com/2012/04/04/byod-infographic-for-security-not-a-pretty-picture/ InformationWeek http://www.informationweek.com/mobile/6-%20risks-your-byod-policy-must-address/d/d-id/1107451?page_number=2 Legal risks http://www.informationweek.com/smb/mobile/6-risks-your-byod-policy-must-address/240142320 Osterman research http://www.ostermanresearch.com/whitepapers/download179 Trustwave graphic https://www.trustwave.com/trustednews/2013/04/infographic-the-high-cost-byod#sthash.vpLp3nzr.dpbs Symantec survey http://www.symantec.com/connect/blogs/survey-despite-security-incidents-byod-worth-risks