One of the biggest trends in business today can be summed up by an acronym that is (almost) completely familiar to anyone who has ever taken their own bottle of wine to a restaurant or house party. It’s BYOD, and it involves employees bringing not their own bottle but their own mobile devices to work and beyond, and using them to perform work functions or access company data.
A 2016 study by Tech Pro Research found that 59% of the organizations surveyed let employees use their personal devices for work purposes.
A study by Syntonic in the same year found an even higher acceptance of BYOD. It determined that 87% of companies depend on letting employees use mobile business apps from their personal smartphones.
Gartner sums up the trend as follows: “Bring Your Own Device: BYOD is here and you can’t stop it.”
BYOD has been shown to bring significant gains in employee productivity and morale. Of course, it is also the source of serious new vulnerabilities to organizations’ data and networks.
For the most part, handling these challenges will fall to your organization’s IT security department. They are the ones who will devise the necessary security policies, implement and monitor technology solutions, and react to any potential issues. Human Resources or other training departments may be involved in initial and on-going policy training.
However, business continuity management professionals also have a role to play in helping their organizations adapt to the new world of BYOD. BCM leaders should be aware of the risks posed to their companies by the increasing use of personal devices at work. They can also serve as advocates within their organizations for the development of well-thought-out BYOD policies and their transmission to the staff through effective training initiatives.
The Dangers of BYOD
The dangers that go with the increasing use of employee-owned smartphones, laptops, and tablets for doing company tasks can be easily summed up:
- These devices multiply by many times the number of portals that allow data that should remain secure within the company’s network to get out into the world.
- They also multiply the number of portals that can allow malware to come in from the outside world and infect the company’s network.
Furthermore, employee-owned devices used for work create vulnerabilities never encountered in the days of the thirty-pound desktop computer that never left the office. To name a few:
- They are highly varied as to make, model, and software.
- They are outside the company’s control.
- They get carried all over the place.
- They are used by the employees and their families to do all sorts of things besides work.
So, yes, the dangers are significant—and they are increasing as employer acceptance of the use of personal devices for work increases.
MHA Consulting looks closely into BYOD security programs and policies as part of each risk management assessment we perform for our clients. Contact us to learn more.
What You Can Do
What can you as a conscientious BCM professional do to help your program and organization adapt to this new environment?
First, educate yourself about them. Since you’re reading this, you’re already working on that, so nice job and keep up the good work.
Second, look for opportunities to reach out to your partners in IT security and network with them to find out what your company is doing in the area of BYOD security. And if necessary, remind them of the importance of developing policies covering the use of personal devices for work, and of conducting the training necessary to help employees understand and follow those policies.
What specifically might you talk about with your partners when the conversation turns to the topic of BYOD security?
Below is a cheat sheet of BYOD security conversation starters. Asking your IT colleagues about any or all of the following should help you get the ball rolling in talking with them about the issue:
- Authentication and password: Does your company require people to use a strong username and password to log into their devices and business applications? What are the company’s policies regarding the use of two-factor authentication? On mobile devices, corporate applications should all be protected by two-factor authentication, especially those providing access to company or confidential (financial information, HIPAA, PII, PCI, etc.) data.
- Data security and encryption: Does your company have policies requiring that data stored on employee-owned devices be encrypted at the storage level? Does the company require the deactivation of auto-unlock or smart-unlock features on employee-owned devices? Ideally, the answer in all three cases will be yes.
- Antivirus software and mobile device management (MDM): Does the company make use of antivirus software for personal devices? What mobile device management (MDM) tools does the organization use, if any? Does the company have any means of tracking or wiping devices that go missing?
- Physical device security: Does the organization periodically remind people of the company’s interest in developing good practices to ensure the physical security of their devices?
- Training: What programs exist at your company to make sure that the policies on BYOD security that it adopts are known and followed by the employees?
- Data storage policies: Does your company have policies prohibiting the downloading of company documents onto local device storage? What about policies requiring or encouraging them to periodically clean out their caches, to remove temporary copies of viewed documents?
This is by no means a complete list of the issues companies need to consider as they grapple with the security challenges posed by the new world of BYOD. However, the topics listed above would make good starting points for conversations between your BCM program and your partners in IT and HR.
As mentioned in the beginning, policies and programs for ensuring the security of employee-owned mobile devices is more of an IT security issue than a business continuity one. From the standpoint of business continuity, it doesn’t really matter how a breach happens; the focus of the BC program is on helping the organization recover. However, the BC department can certainly play a role in ensuring that BYOD security is on the radar screens of the relevant departments within their organization.
Like the man said, an ounce of prevention is worth a pound of cure, and this is certainly true in the fast-changing new area of BYOD and employee-owned device security.
Note: This is Part 2 of our Corporate Security Awareness training series. To read Part 1, on Wi-Fi security, click here.
To make sure you receive all the articles in our Corporate Security Awareness series, be sure to subscribe below.