BYOD Bring Your Own Device Personal Devices in a Corporate World

Transcription

1 A Member of OneBeacon Insurance Group BYOD Bring Your Own Device Personal Devices in a Corporate World Author: Elizabeth Marazzo, Risk Control Specialist Published: July 2014 Executive Summary What, Why and How? Bring Your Own Device or BYOD is quickly becoming a workplace technology trend Essentially, BYOD is the policy of allowing employees to bring their personally owned devices such as smartphones, laptops and tablets to work and using these devices to access private company information, systems and applications Wait, hold on; what happened to the fear of virus intrusions because of the apps sitting on your mobile device or fear from unsecured devices? Yes, times are changing and today, this practice is not only okay, but it s gaining traction and introducing a new set of risks Although the term BYOD was not fully recognized until 2011, its origins can be traced to 2009 at Intel, when it recognized an increasing number of employees bringing their own devices to work and connecting them to the corporate network 1 There is a lot of talk suggesting BYOD will be the next big shift in corporate computing And yet there is a lot of confusion about potential implications for the IT department How would data security be managed? Would IT be tasked with supporting every conceivable computing device? How would they keep track of personal devices and would this overtax the IT group? On the other side of the spectrum, organizations see this as an opportunity to increase employee productivity on devices they love, while reducing the company s mobile expenses Many organizations are implementing a BYOD policy with varying approaches and varying results Some companies with BYOD models require employees to cover all costs (purchase, monthly fees, etc), while others may partially reimburse employees Businesses that embrace a BYOD policy are seeing a reduction in their mobile expenses as mobile device costs become the employee s responsibility Organizations in the technology space are more likely to adopt a liberal BYOD strategy while those in healthcare, government, security and finance may take a conservative approach It is predicted that by 2017 half of the world s companies will implement BYOD programs and will no longer provide computing devices to employees, according to a recent Gartner report The report also predicted that about 15% of companies will never move to BYOD and about 40% will offer employees the choice of BYOD or company-provided devices 2 Research conducted by HDI in November 2013 indicated an increase in the implementation of BYOD programs for both tablets and mobile phones It also noted that organizations have implemented improved mobile device management systems with well-defined polices, and are better able to keep up with the pace of mobile device innovation This evidence reinforces overall industry maturing in support of mobile devices 3 1

2 Benefits Why has this phenomena gained traction? First and foremost are the personal and productivity benefits BYOD is fueled by users who expect total flexibility in managing their professional and personal business wherever they are, on their device of choice 4 Employee Satisfaction - Employees love their own devices and prefer to use them Furthermore, the familiarity with their device is likely to increase the employee s motivation and productivity levels One Device vs Two - For an employee, the BYOD process eliminates the need to carry both a corporate and personal mobile device, making day-to-day activities more manageable However, some employees may prefer to have strict boundaries between work and personal matters and are likely to maintain multiple devices Companies see a great benefit from this single-device approach as employees are always available Since their personal device is typically nearby, they are likely to respond more quickly to customer and corporate requests such as s, texts and social media feeds Cutting- Edge Devices - Since BYOD devices are personal resources, they tend to be more cutting edge, so the company gains the benefit of the latest features and capabilities, without having to pay for these upgrades Employees also tend to upgrade their personal devices to the latest hardware more frequently than most organizations Risks Unfortunately, not all that glitters is gold A recent survey by InformationWeek yielded some startling statistics regarding BYOD matters: 5 7% of BYOD environments do not have password-based access control, simply relying on the company s BYOD policy Only 53% require password lengths greater than four characters for primary access on the mobile devices 2

3 42% do not scan personal devices for malware 45% have had a mobile device where enterprise data came up missing in the past year 13% do not require encryption on devices containing enterprise data 28% stated they were not subject to data protection regulations (eg, SOX, HIPAA, PCI and State-based), even though they likely were 68% support BYOD but only 39% currently have a mobile device management or MDM solution There are several risks and challenges that must be addressed before an organization implements BYOD Data Security - security on the device may be compromised from infected data, attachments or apps, which can possibly lead to infections or attacks on the rest of the corporate network With the increased use of smartphones, cybercrime has also gone up 6 Some of the data on the phone could seriously compromise the company s security if that information fell into the wrong hands Passwords stored inappropriately on the mobile device, or a device with weak password could give a hacker or criminal direct access to the company s corporate systems e-discovery - This refers to an employer s legal obligation to access and present critical data in the event of pending litigation The data may reside on either the corporate or personal device Attempting to access its corporate data on an employee s personal device may result in additional legal obstacles due to the employee s privacy rights A recent federal case Lazette v Kulmatycki, (June 5, 2013 in the northern district of Ohio), the US District court denied a motion to dismiss the plaintiff s complaint for invasion of privacy In this case, the former employee, who was allowed to use the company-issued mobile device for personal , alleged that after her employment ended her supervisor accessed 48,000 messages and shared some personal information with third parties The court found that a company s search of private employee data on a mobile device violated the Stored Communications Act because such a search was unauthorized even though in this case, the device was owned by the company 7 BYOD presents four primary challenges for e-discovery 8 : Access and control of data and the device since the company does not own or physically control the devices There are multiple categories of data to consider, such as personal and corporate, which are stored in the same environment Data may reside in various locations and it is possible that critical corporate data exists solely on the personal device The employer may find it difficult to safeguard and retrieve the data from personal devices Personal Injury - What if an employee files for a claim such as repetitive motion associated with using their own mobile device; is this compensable? There have already been a few such cases where employees have filed a claim that resulted from the use of their personal devices 9 In a regular work environment, employers can manage their cost and risk through workplace safety training, providing ergonomically designed equipment, etc But what if the employee gets BlackBerry thumbs from their own device? Can they take action against their employer? Who is responsible? How much of this stems from personal versus corporate use of the same device? Data Corruption and Deletion - BYOD devices can include laptops, netbooks and ultrabooks in addition to smartphones and tablets These devices need to be updated to meet company s network security requirements, such as software patches and revisions Imagine if the employee is working on an important personal project the great American novel and it ends up being 3

4 deleted or becomes inaccessible due to a company required software update or patch Can the employee take legal actions against his employer for this information loss? What recourse does the employee have, if any? Device Sharing - An employee could be sharing the device with someone else, such as a spouse or child Due to multiple users, they could inadvertently violate corporate policies or procedures regarding apps or sites that can be loaded, used and viewed on the device They may also establish insecure but easy to remember passwords on the device This could result in potential issues, including corporate data loss or security breaches There is also a potential for third-party legal liability against the company if there is loss of data that is owned by the spouse or person sharing the employee s device An example would be a spouse who used the personal device to photograph an important one-time life event The company, in the course of routine device management, deletes the photos, which are the only copies How does the company protect itself against claims from the third-party since the company does not have any policy or contract with that individual? Revoked or Lost Devices - What happens when an employee sells or recycles a device after an upgrade, or their device is stolen or lost? Or what if an employee is terminated or leaves the company? The mobile device contains company information but employees clearly retain their own personal device Unless the company has a policy in place, this presents potential data breach exposures Compensation Issues - The BYOD program makes it easier for employees to work outside of normal working hours thus presenting some issues under the Fair Labor Standards Act (FLSA) FLSA requires employers to pay non-exempt employees at least minimum wage for all compensable time worked, and to further pay these employees overtime pay for hours worked in excess of 40 hours a week Generally, compensable time includes work performed for an employer such as responding to s, time spent on tablets, smartphones and laptops to complete a project, etc This may constitute compensable time for FLSA purposes which, if not paid, can lead to liability Employers who allow non-exempt employees to participate in the BYOD program can minimize this risk by incorporating timekeeping policies in their BYOD program to limit and capture time spent outside of the office or normal business hours and state that employees are expected to report all time worked 10 Is BYOD the way to go for your company? Adopting BYOD is a company-specific decision that must align with the balance of the corporate culture and practices Some organizations may thrive while others may see it is as a detriment A survey conducted by Logicalis concluded that employees in high-growth markets are not only willing but embrace the possibility of having constant access to work data and applications even when outside of normal business hours These employees demonstrate a willingness to do whatever it takes and work whatever hours are required in order to advance their careers To date, BYOD adoption is most common in companies with revenues between $500 million and $5 billion, but with geographic differences, according to Gartner The highest rate of adoption is in India, China and Brazil, with US adopting at twice the European level 11 If you are thinking of implementing BYOD, here are some questions you need to consider Is mobile access a must? What are the goals and benefits of BYOD? (Improved productivity? Better business processes?) Which group of your workforce needs mobile access? Which data or systems will employees need to access via BYOD? 4

5 What sensitivities are there around these systems and data? Are there any other benefits BYOD can offer for your organization? Have you done a full risk assessment including assessing the legal issues? Will BYOD require the company to establish new HR policies? BYOD Management If your organization decides to implement BYOD, risks will need to be managed effectively, including employee privacy Adoption requires striking a balance between the company s right to monitor, access, review, data-wipe, and disclose company information and the employee s expectation of privacy and safeguarding of personal data Historically, devices resided within the corporate network and were trustworthy Now with personal mobile devices and an ever-increasing number of malware and hackers, security and management concerns are at the top on the list How can we trust and ensure that these mobile devices will behave within the corporate network? Luckily we can counter these risks Mobile Security Expert Designate a specialist who educates users on social and behavioral security risks, sets appropriate use policy and helps develop strategies for mobile security and risk mitigation, mobile data protection, mobile OS platform review and, mobile application threat management 12 BYOD Policy & Procedures - Document and publicize a BYOD policy According to a recent study, 571% of full-time employees partake in some form of BYOD, but only 20% have been asked to read and acknowledge a BYOD policy Another study found that 78% of firms that moved to BYOD do not have a policy at all 13 Without a policy in place, organizations cannot exercise control over the fine line between corporate and personal use, and adequately protect both parties Remember, BYOD policies are somewhat complex and require collaboration between HR, Legal and IT functions Access Control Consider the use of strong and robust passwords to access and log on to both the device and the network The security system should clearly establish the identity of the user and device accessing the network, with a defined policy governing access levels and data that can be accessed and saved or transferred Lastly, the system should be able to maintain logs on who accessed the system, when they logged on and the type of data that was viewed and transferred Malware and Antivirus - There are some effective technologies available to protect corporate data and keep malware off the company network Anti-malware software is available and should be installed on personal devices to protect them against the very latest viruses, Trojans, spyware, worms, bots and other malicious code Other types of software will also include anti-spam technologies to filter unwanted calls and texts on the mobile device Another feature to consider is anti-phishing tools and policies to help prevent inadvertent visits to fraudulent websites that may try to steal information Geofencing - Some companies have also put into place geofencing, which creates a virtual perimeter or boundary that will let employees use and/or play games but just not during company time This can also prevent employees from downloading high definition videos on their tablets that could clog up the company network MDM or Mobile Device Management With the variety of personal devices available, it may not be practical to manage these through internal IT Consider software tools to manage mobile devices through a variety of vendors such as Airwatch, MobileIron, Citrix, Good Technology, IBM and others These companies provide services and solutions that will help facilitate controlling these risks These companies can deploy security agents onto each device; implement security policies 5

6 on the devices, separate personal and corporate data and also enable selective wiping of corporate data without deleting the employee s data They can also enable encryption on the devices, as well as protect data when a device is lost or stolen Encryption is an excellent method for ensuring that any information or data stored on a mobile device is useless to thieves Conclusion Regardless of whether you are already taking advantage of the BYOD trend or you re simply thinking about it, make sure that you are fully aware of the risks and that you thoughtfully address any potential issues Security, risk management, remediation and policy development should be considered before setting up a BYOD program Once implemented, be certain to communicate the new policy and enforce available risk mitigation steps This up-front investment will ensure that mobile expense savings can be fully realized along with a productive, appreciative workforce This thoroughness will enable making BYOD a competitive advantage Contact Us To learn more about how OneBeacon Technology Insurance can help you manage online and other technology risks, please contact Lloyd Takata, EVP of OneBeacon Technology Insurance at ltakata@onebeacontechcom or References 1 Mobile: Learn from Intel s CISO on securing employee-owned devices Accessed April Kanaracus, Chris (May 1, 2013) Half of companies will require BYOD by 2017, Gartner Says IDG News Service Accessed April gartner-sayshtml 3 HDI Research Brief, Mobile Device Support and BYOD: Where Are We Now? Written by Jenny Rains, Senior Research Analyst 4 The ultimate guide to BYOD Mobile Iron, Access April BYOD%5B5%5Dpdf?mkt_tok=3RkMMJWWfF9wsRovuK%2FNZKXonjHpfsX86%2BssUaWg 38431UFwdcjKPmjr1YQCT8N0aPyQAgobGp5I5FEITrnYU6lot6IJXg%3D%3D, page 3 5 Cohodas, Marilyn (February 3, 2014) Infographic: Mobile security run amok InformationWeek: DarkReading Accessed April Gilmore, Georgina & Beardmore, Peter (2013) Mobile security and BYOD for dummies Accessed April 2014 Page 15 & 16 s/august2013/21-byod-dummiespdf 7 BYOD: balancing employee privacy concerns against employer security needs 8 Watson, Steve (June ) Successful ediscovery in a BYOD environment Intel Whitepaper Accessed April

7 9 Casey, Kevin (November 19, 2012) 6 risks your BYOD policy must address InformationWeek Accessed April risks-your-byod-policy-must-address/d/d-id/ ? Ibid 2 12 Ibid 4, page 9 13 Gabriel, Chris (January 21, 2013) No BYOD policy, time to grasp the nettle CxUnplugged Accessed April