- Security TWENTY
- Women in Security Awards
Companies cannot stop employees from bringing their own devices to work. However, they should be well placed to define policies and guidelines, writes Ryan Rubin of consultancy Protiviti, on how these devices should be used (acceptable use policies) and also provide solutions and support to enable users to use the devices and corporate data in a safe and controlled manner.
Better awareness for employees and managers about the risks and associated safeguards, whilst recognizing the rewards of adopting these new technologies is key. For high risk individuals and the sensitive data they have access to, there is still a strong argument that technology providing access to such data should still remain in control of the company. Where this technology sits will ultimately be moved from the hardware of the devices themselves to software which the company can still manage more effectively i.e. companies will be less worried about which device accesses corporate information, and more about how and who has accessed to this data.
Whilst companies will ultimately lose the ability to control their employees choice of mobile devices in the workplace, there are still a number of risks that they will need to actively manage and address as the shift of ownership changes .Potential risk categories include: Information security, employee data privacy, IT supportability, compatibility, legal implications, capacity of the IT organization and unexpected costs.
Fundamentally, information held and processed on these devices remains the property of the company and loss of sensitive information, whether intentional or not, could still have a major impact on the company’s longer term sustainability. Consider for example the loss of data that may be stored on these devices including: the calendars of a company’s chief executive, board papers or sensitive business plans read by senior management on their way home from work, contact details of customers and suppliers, corporate emails containing confidential information etc.
To manage these risks, companies need to clearly define policies and guidelines on how these devices should be used (acceptable use policies) and also provide innovative solutions to enable users to use the devices and corporate data in a safe and controlled manner. Fortunately, a variety of tools are available in the marketplace to help bridge the gap including anti-virus software, data encryption techniques, automatic wipe functionality, secure web proxy solutions, location based services and data expiry services.
The use of corporate devices such as BlackBerrys brought centralized control, security and management features and consistency (for support purposes) to the organisation. As the device is owned by the company, it can mandate and enforce security policies and safeguards. Furthermore, the IT support organisation would become familiar with how devices fit into their overall architecture and support model. There is a clear mandate that the employee is using the device to support their employment contract and that the device and all its data are owned and controlled by the company – except for personal data exclusions. Should an adverse event occur whereby the employee leaves or there is a litigation activity, the company has the right to take hold of the device and data stored on it and destroy it appropriately. When the device ownership shifts to the employee, these rights may be harder to enforce.
Companies need to replicate some control even if the device ownership shifts. Consider the situation where an employee leaves the company and has been using their own device. How can the company ensure that all sensitive data has been appropriately removed ? Moreover, how can the company ensure that appropriate safeguards are implemented and maintained on a device that they do not own? Fortunately, there are some solutions in the marketplace tackling these issues including replicating functionality that BlackBerry’s have (such as the well known remote wipe facility which is used when a BlackBerry is lost or stolen).
Some of the key advantages for BYO (Bring your own devices) in the workplace include:
a) Employees love the freedom of choice of mobile devices they can choose from and are less restricted by following a corporate path.
b) Employees are able to get hold of the latest devices much sooner than waiting for them to be provided by the IT organisation.
c) New devices are very personal in nature and employees are often happy to pay for and own the “latest” gadgets and “gizmos” – something many companies do not have the luxury of offering on a regular basis.
d) There is a perception that IT costs will be driven down as users who bring in their own equipment are responsible for the maintenance, upkeep, support and final destruction of the equipment.
Several challenges include:
a) Losing control over the myriad of IT that is brought into the workplace
b) Managing security risks that these devices bring into the organization – e.g. pollination of viruses
c) Cost savings may not be fully realized as the IT organisation still becomes involved in supporting these devices in one way or another and additional strain gets put on existing infrastructure such as wireless networks, Internet bandwidth, help desk etc.
d) There has been an increase in rogue mobile applications that hackers have developed to target and exploit weaknesses through the mobile channel – it is another easy way of targeting a weak link in the enterprise which is often the employees themselves.
e) Losing control over data that may be leaked out of the organisation – either through loss of devices or through services where mobile data may be stored.
f) Striking a delicate balance to impose controls onto personal devices in a similar way to how traditional IT has been managed e.g. anti-virus controls and also imposing good practices such as automatic wiping of devices if someone leaves the company : Is it right for a company to automatically wipe an employee’s device when they leave – additionally is it right for a company to install or mandate software on an employee owned device and what are the software licensing implications of this?
g) Predicting capacity and demand on IT services when new devices enter the enterprise – eg extra demands on bandwidth, allocation of IP addresses etc.
Data privacy concerns, for example, regarding e-Discovery / litigation activities whereby employees have “contaminated” their devices with corporate data as well as personal data.
About Ryan Rubin
A director in Protiviti’s London office he leads Protiviti’s Security and Privacy service offering. Also he co-ordinates European security, privacy and computer forensic services. He has 13 years’ experience supervising and delivering information security consulting and assurance services. Earlier he worked at a Big Four audit firm for more than 10 years in their security and privacy practice.