Bring your own device (BYOD) and virtual environments are on a steady rise across the globe. BYOD policy adoption rates alone are estimated to be in the 40%-70% range. This rise is mainly attributed to the rise of smart phones and consumer electronics such as tablets and notebooks. This is great for employees and productivity, but it also creates a whole new realm of risk. Three of the main risks attributed with BYOD policies are lost devices, personal and private use, and end of life.
Loss and Theft
$30 billion worth of mobile phones were lost in the U.S. last year. Think about that. Only looking at mobile phones in the U.S., $30 billion was lost. Image that figure around the world, then add other devices like tablets and laptops. Then consider that these devices that have been lost (or stolen) will more than likely have access or contain sensitive data, if they come from a work environment. This also happens to be a segment of the policy that is often overlooked, what with all of the other aspects to look at. There are a few solutions to this, such as GPS tracking and remote wiping software/apps, the problem with these is the turnaround time from the device going missing to the location/wiping of it. This time frame could be anywhere from 2-8 hours which is more than enough time for sensitive data to be accessed and potentially exposed. The most effective tool here at the moment is encryption, but even that may not be enough in some instances.
Personal vs. Private
Employees that are providing their own devices are going to expect to be able to use them for work and for their own pleasure. This really is the core concept of BYOD, limiting yourself to one device that will serve you multiple purposes personally and professionally. While this poses many risks pertaining to mobile security, it is a must. There are many factors to consider here. Since malware apps are becoming more and more common, it is important to know what apps can be downloaded and which cannot, and how to monitor and safeguard against that. IT must also take into consideration how to handle uninstalling company apps and data for employees no longer with the company. You can’t just wipe the phone and all of its contents, this would result in loss of personal contacts, calendars, apps, and more. We will discuss this more in the next sections.
As mentioned previously, managing data and erasing it after an employee has left the company. The data on the device is sensitive and could be costly if exposed, or could be used by other to compete (depending on the nature of the employee). It is critical that the employer create a thorough exit procedure that is strictly followed to ensure no security lapses in their BYOD policy. This procedure will not only reduce the chances of information staying on the device past their employment, but it also shows that reasonable steps were taken to maintain the confidentiality of the companies sensitive data.
A granular approach to BYOD policy enforcement is key. Small expenditures of time and money to very specific sections of the policy will do a great deal in protecting a company’s sensitive data from being exposed. Subscribe to our blog to learn more about mobile device security and BYOD best practices.