BYOD Security Risks and How to Maintain Security Compliance
Millennial employees increasingly insist on bringing their own devices to the workplace. Despite the promised rewards, business organizations tend to hesitate on allowing employee-owned devices to connect with the corporate IT infrastructure for accessing mission-critical business information due to the inherent security risks. However, a solid BYOD policy can make use of employee-owned devices to increase productivity without compromising IT security. The BYOD policy should cover these five common issues.
Stolen or Lost Devices
Mobile device owners and business organizations that fail to implement robust IT security and device management protocols risk unrestricted access to sensitive business information when the device is stolen or lost. A robust company security policy covers this issue by establishing geo-specific device management controls that prevent access from devices that are not physically at the workplace. For authorized employees securely connecting devices from outside the workplace, the lack of inadequate authentication systems and anomaly detection protocols increase security risks of BYOD practices.
Third Party Apps and Data tracking
Mobile devices often use third party apps access corporate data without the knowledge or approval of employees and IT departments. When combined with the increasing use of cloud applications to store data, this can make data security a constantly shifting target. A BYOD security policy should include an approved list of third party apps that employees can use to access the company’s data. A BYOD policy should account for privacy laws, cover best practices for accessing company data on a mobile device and implement tools that can track the access and editing of company files.
The Disgruntled Employee
If an employee retaliates by walking off with valuable data on a mobile device, the company may not realize it until the employee has already delivered the data to a competitor. Companies can address this by having employees sign an Acceptable Use Policy (AUP) that clarifies the ownership of data that is created or used as part of job duties and making sure that former employees can’t access sensitive cloud data on their devices once they leave the company. Companies can also take a more proactive approach to reduce the risk of an employee becoming disgruntled simply by paying attention to employee satisfaction, including addressing any workplace issues and complaints in a timely and fair manner.
Data Management and Compliance
When a breach occurs, the company must have the right to inspect any suspect personal device. This can cause a thorny legal issue if the BYOD policy does not clarify the rights of the company in a matter of compliance such as a breach investigation. The BYOD policy should also clarify when and how the company’s employees can access data on their mobile devices and encourage a proactive approach to preventing a breach in the first place.
Following this checklist should help companies remain security compliant while addressing security concerns that come with personally owned mobile devices:
- Compliance Standards and BYOD Policies: A BYOD policy should comply with privacy laws that may be more strict than the local government compliance and privacy standards.
- Privacy Governance: Employees have an expectation of privacy when using their mobile devices, even while they’re at work. The exact legal requirements vary depending on geographic location. For instance, employers cannot require that employees use their personal cell phones for work purposes and this often results in a hybrid BYOD model. A BYOD policy should include clear expectations of how and when a device might be monitored.
- Data Collection: The BYOD policy must clearly state the reasons that employers might collect personal data from employee-owned devices. If employers contract with a third party to collect data from personal devices, that contract must include a data processing agreement that protects the data.
- Monitoring Limitations: Labor and privacy laws may limit a company’s ability to monitor and control the data that is delivered to personal devices. A poorly considered monitoring plan may catch an employee’s child watching a cartoon and not address more serious security concerns. Companies can address this issue by strictly limiting monitoring to company-related activities.
- Breach Investigation and Resolution: An active security breach may lead to concerns about privacy violations while the matter is being investigation. BYOD policies should clarify when, where and how a device may be inspected as part of a breach investigation.
- Data Ownership: Companies should include clear language regarding the ownership of data that employees access, create and edit on personal devices. The policy’s language should clarify the parties responsible for maintaining the data, including creating backups and making sure it remains accessible only to authorized parties.
When determining a BYOD policy, companies should consider the primary reasons that employees bring their devices to work and respect the need for convenience and privacy. A well-implemented BYOD policy can actually increase employee productivity and satisfaction while still maintaining the company’s need for data security.