Adrian Briscoe takes a look at some of the risks associated with employees bringing their own devices to work, and how to mitigate those risks.
Imagine a situation where a regulator knows exactly what information concerning your business relationships with suppliers, customers and competitors is on your employee's iPad, but you do not.
Not a risk for you? Then imagine a situation where confidential or sensitive business information is leaked because it exists on an employee-owned device and that device is stolen or left on a train. If you allow employees to use their own devices for work, it could happen today or next week. Your information could be leaking right now.
If not now, these are exactly the situations that are likely to face businesses more often in the next five years unless steps are taken to actively manage BYOD (Bring Your Own Device) policies for the benefit existing information governance frameworks.
BYOD is a concept that most companies will recognise as a feature of their business, to some extent, whether officially endorsed or not.
Let's face facts: BYOD is not new. For many years, individuals have been finding simple ways of enhancing their own productivity by using personal devices for business purposes. For example, if businesses do not prohibit or limit the use of personal USB memory sticks, they will be used. The same was true of floppy disks 15 years ago. If businesses do not issue company smart phones, then personal smart phones will be used to varying degrees. The next time you make a journey during rush hour, try counting the number of tablets you see; it is naive to assume that they are used solely for playing games!
Our business behaviours are evolving at a rate that would make Darwin proud. To stay ahead of your competitors requires that business processes are carried out faster and more flexibly than before. For this purpose, BYOD assists more than capably. However, for individuals, reputation takes a lot of personal investment to build (time, knowledge, money) and mobile technology makes it easy to retain possession of knowledge assets, which could lead to disputes over ownership.
The point is that whether you love it (Novartis, like other leading corporations have created an App for use by employees) or hate it (IBM's CIO, Jeanette Horan said that BYOD is not saving any money), you have to enroll BYOD into your information governance strategy at every level, so that employees know the boundaries of reasonable use and employers have the means to access information held on employee-owned-devices (EODs) whenever they need it.
That information may be required for a multitude of reasons, but mostly we are concerned with the security of the information and the need to access it promptly, in order to properly investigate potential issues of liability (whether civil, criminal or regulatory).
We live in an age of compliance, where the number of regulatory investigations has grown significantly over the last 10 years.
This has also had the positive effect of encouraging businesses to conduct their own internal audits in order to foresee potential exposure to risk and to proactively embed a culture of compliance within their team.
All of these types of investigations rely on analysis of electronic communications. Emails are now not the only source of information and increasingly we hear about the discovery of text messages that are at best embarrassing and at worst incriminating.
One imagines it is not always practical for perpetrators of wrong-doing to hold clandestine meetings by a riverside in order to co-ordinate their activities.
Nevertheless, it is by now well known that email and text messages can be easily retrieved and analysed using forensic techniques (technology can read the metadata of an email and draw a map to help identify the virtual ‘X’ marking the most likely spot at which there may be evidence of collusion). So in order to evade detection, this means that employees who are conscious that they may be engaged in immoral or corrupt activity are more likely to use a variety of communications, such as second (or even third) mobile phones or SIM cards, instant messaging tools and social networking sites such as Linkedin or Facebook. Own devices are perfect for this sort of activity.
BYOD presents an opportunity for would-be information thieves and not in the ordinary sense. Cyber security attackers could target businesses with no formal BYOD policy. It has been known for attackers to drop USB data keys in company car park: If an employee inserts one into their computer, the software on the key can infect the machine with malware that can be used as the basis for attacking the company’s network and stored data.
Putting hi-tech crimes to one side, there is always the risk that an employee could be carrying highly sensitive data on their iPad and that the device could be lost or stolen. Aside from the loss of cherished photos and a temporary loss of contact with the outside world through Facebook, there is the serious issue that company data in the wrong hands could have serious repercussions, especially if it constitutes a data breach.
So how should companies prepare themselves for BYOD? If you are asked to consider creating or enhancing an existing BYOD policy, here are some things that you should know:
BYOD is probably happening anyway within your organisation, so there should be some rules to guide employees as to the extent of its permissible use. Even if you decide that BYOD is not allowed, you should have a policy which states exactly that and addresses the grey areas around use of personal devices for conducting business.
Ericsson recently predicted that mobile phones will outnumber people within five years. In their Traffic and Market Report (June 2012), they observed that “mobile subscriptions now total around 6.2 billion. However the actual number of subscribers is around 4.2 billion” suggesting that many people own (or at least use) more than one mobile device.
If a person is engaged in misconduct or conduct that could harm the reputation of their employer, they could be using their own devices in order to evade detection.
Inconspicuous devices such as iPods have enormous data storage capacity and have been used to steal information from business premises.
Information on business mobile telephones could be at risk if users are permitted to use alternative SIM cards on those devices.
The interaction of devices (i.e. the connection of a mobile device to a desktop PC or laptop) is traceable through the logs of the computer, meaning that records of device connections (detailing device types and serial numbers) can be audited.
In some jurisdictions you cannot easily interrogate an individual's information held on a company-owned device without consent. To examine a person's own device in this jurisdiction, without their consent or knowledge could result in a criminal prosecution under the Cybercrime Act.
Records management interests are increasingly contemplated by HR and employment law professionals to the extent that the development of technology is now reflected in some modern employment contracts.
The BYOD landscape is clearly a minefield of issues for legal counsel, IT and HR professionals to navigate. The task of drawing up an organisational policy is complex and should not be considered a one-off task; new products enter the market at a highly frequent rate and updates to local laws can have an impact on existing BYOD frameworks.
As a minimum it is suggested that the following components should be addressed in any BYOD policy:
Risk assessment. As a starting point, you should recognise that information, rather than the device is the critical issue in the BYOD debate. Therefore your risk assessment should begin by asking what information you are trying to protect and what information you would need to be able to access in any given situation. Organising your business information into clear and recognisable categories is essential to any document management policy, especially one related to BYOD.
Ownership of information. Consider who owns the information that may be held on an EOD and what rights you consider that the employer has to access it directly from the device.
Ownership / registration of assets. Since assets can be numerous and varied, it is a good idea to consider the extent to which only registered assets may be used. If an employee chooses to use a non-approved device, it may be possible to detect its use through monitoring and auditing of the registry of a computer’s hard drive (depending on the type device connected). This can be used to identify whether ‘foreign’ devices have been used and whether information has been copied to the device.
Right to audit devices. Make sure that the right to audit and access information is clearly understood between the employer and the employee. Finding that you are unable to examine an EOD could be highly problematic if the information is needed in a time-critical situation (such as to support a leniency application, or to prevent a fraud).
Data privacy and human rights. Using part of the memory of an EOD to store business information is going to be a problem because the remainder will contain personal and private information. Some of the measures that can be adopted to keep business information secure (below) could be helpful in keeping it separate from private information and centrally accessible.
Security of business information. For BYOD to work, employees must agree to some controls designed to safeguard the information stored on their devices. At a basic level, encryption can be used to prevent unauthorised access to information. However, the emergence of business-developed apps and cloud-type solutions, can be used to ensure that business information is only accessed through the EOD; never stored on it. If business information must be stored on an EOD, then businesses may consider the usefulness of applications to wipe the device remotely in the event of a potential data breach. The ongoing security of confidential information should also be protected post-termination of contract, prompting the inclusion of BYOD issues in HR exit procedures.
Sensible curfews to the permissible use of EODs should be issued. For instance, employees should know never to plug an unrecognised device into a business network computer. Similarly, it may be helpful to devise rules that govern the use of webmail from a home PC, or in an internet café.
In the age of heightened regulation and accountability, acquiescence is not an option. Whatever your BYOD policy looks like, you need to ensure that it is relevant, up to date and clearly communicated to all employees, with appropriate mechanisms to aid enforcement at critical times.
About the author
Adrian Briscoe is general manager – APAC, Kroll Ontrack