How will your organization counter the inevitable friction resulting from securing personally-owned devices?
There’s a great trend in business today for employees to ask – sometimes demand – to use personal equipment for their work, and to have that equipment connect to company networks.
But, as convenient as BYOD policies might be, it poses many issues for organizations that can’t be ignored. For example:
- How can the device’s security be brought to an adequate level? In some cases, this involves the installation of specific software that will assure that email, for example, is encrypted for both transmission and storage. The device can also be password protected, with an automatic time-out requiring re-entry of the password.
- Will the device present an issue in regard to electronic discovery? What is the likelihood that a file written on the device may not exist elsewhere? Will these devices become subject to electronic discovery orders or litigation hold notices?
- What degree of access will the owner of the device permit the company to have? Full access is essential in the event of an incident where the company has to investigate (for example, to determine if a reportable data breach has occurred.) Will the owner permit a remote data destruction capability? Will they protest repetitive password entry requirements? Will they willingly give up their machines where content is subject to a discovery request or court order?
Collectively, we think of these issues as “SSED” (Securing Someone Else’s Device).
Friction points are inevitable. I’ve seen evidence of people trying to bypass automatic log-out timers. I’ve seen refusal to sign an agreement covering e-discovery or compliance with subpoenas delivered to the organization or dissatisfaction with requirements to use specific e-mail software.
Some of these objections are unreasonable and would place the company at significant risk. For example, failure to comply with e-discovery rules can subject the company to significant penalties (from fines to outright loss of a lawsuit). Others are more understandable.
The possible solution to this seems to lie in two directions.
First, mobile device manufacturers will evolve their software and hardware to be more compatible with company needs. Through more effective encryption, device management and security-enabled add-on software, it should be easier to meet the needs of both the individual and the company. Given the growing threat to mobile devices, we think users are going to demand increased security for new devices, which should serve to lessen the tension between BYOD and SSED.
Second, I’ve seen a number of companies offer an either-or solution. If you permit certain levels of access and control over your own device, you can have it on the network. If not, the company offers an alternative device that remains company-owned and controlled. This recognizes that there is a level of security and legal protection that the company can’t and won’t cross.
As for now, there is a dynamic tension between the desire of individuals to use their own devices in corporate networks, and the need of the company to secure and control the organization’s data.
While I believe it will evolve into more of a mutual understanding, at present, companies have to determine the minimum they can live with, recognizing the need to re-evaluate their position regularly.