Just when Information Technology organizations have begun addressing the risks associated with a distributed computing environment and mobile work force, the workplace decides to bring non-standard and unsupported devices to the party. Bring your own device (BYOD) is a business policy of employees bringing personally owned mobile devices to their place of work and using those devices to access privileged company resources such as email, file servers and databases as well as their personal applications and data.
Forrester’s study of US information workers revealed that 37% are doing something with technology before formal permissions or policies are instituted. Further, a Gartner CIO survey determined that 80% of employees will be eligible to use their own equipment with employee data on board by 2016. Twenty-five percent of employed adults are now using their own smartphones to access and/or store company information, according to a new survey by ESET. The same is true for 41% of personal laptops and 47% of personal desktop PCs, and 10% of tablets.
Bringing your own device to work should make organizations rejoice by realizing a decrease in technology expenditures and increases in productivity. However, new technology practices, left un-managed or not well designed, could mean substantial risk to the organization resulting in data breaches. For example, halfway through a flight, a user switches from super-critical pieces of corporate work to checking out the app they downloaded while waiting in the airport terminal. Maybe there's a compelling reason to get that app, but is there a security context in place whereby this activity will not cause security repercussions, especially when they are connecting the device to the company network. Beyond that, are basic measures in place to protect the data on the device if the device is lost and falls into the wrong hands?
Encryption of company data is occurring on only one-third of BYOD phones, tablets, and PCs. Auto-locking with password protection is enabled by less than half of all laptop users, less than one-third of smartphone users, and one-tenth of all tablet users. Incidents of mobile malware are skyrocketing, especially on Android OS. Users have been known to download fraudulent apps masquerading as legitimate ones, which are laden with malware. Trojans embedded into SMS messages are also an emerging threat.
To safeguard company data as well as other users on the network, businesses need to both develop and enforce policies around encryption, auto-locking and password authentication, and anti-malware software for mobile devices. These policies must be created early in the BYOD design. These policies affect more than just IT; they have implications for HR, legal, and security—any part of the business that uses mobile devices in the name of productivity.
A poorly designed BYOD program could result in risks to IT service levels from overburdening IT with support issues and enrollment activities. BYOD should not cause a huge influx of support calls from users to the help desk. Your BYOD program should be well thought-out prior to being rolled-out and leverage technology that allows for a simple, low-touch way for users to enroll their device and maximize efficiency for both IT and business users alike. The process should be simple and secure. Personal information like birthday party photos or personal finances should be isolated from productivity apps. Simply stated, corporate apps, documents, and other materials must be protected by IT if the employee decides to leave the organization, but personal email, apps, and photos should be untouched by corporate IT.
If BYOD is something your organization is considering, contact Eric Wright at Schneider Downs to discuss the potential risks and development of a successful implementation plan that meets the needs of your organization.
© 2012 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.