The Basics of Bring-Your-Own-Device

By: Maryssa Simpson

Bring Your Own Device (“BYOD”) refers to the practice of accessing work emails, files, and documents from personal smartphones, laptops, and tablets. BYOD raises data protection issues applicable to any industry. In an age where technology is highly personal, privacy and security are of utmost concern. Implementing a BYOD policy and educating employees on proper personal device protection should be a top security priority for any business.

According to a recent press release by Gartner, Inc., a global technology research and advisory company, half of all employers are expected to require their employees to supply their own devices for work by 2017.[1] Many of us already do. Cisco, a multinational networking company, recently conducted a study that found that 92% of full-time American workers use their personal smartphones for work purposes.[2] Widespread use of personal smartphones is even prevalent in industries handling highly sensitive and regulated data: banking at 83.3% and healthcare at 88.6%.

These numbers are not surprising. The surprise is how little employees know about how to protect sensitive information. The Cisco study reported that 40% of personal smartphone users in the workplace do not even have basic password protection, and 50% of these workers access unsecured WiFi networks. The Cisco study also states, “Interestingly, workers in the legal, healthcare, and banking professions don’t have markedly higher standards for smartphone security.”[3]

Some of the obvious concerns with the widespread use of portable devices include lost devices and hacking.  However, some more subtle issues to consider include increased visibility and clearer screens, which make it easier for someone else to easily read personal devices at a distance.

On June 25, 2013, the National Institute of Standards and Technology (NIST) released a mobile device management guide to help federal agencies centrally manage the security of mobile devices.[4] The NIST guide highlights what should be businesses’ foremost priority: to develop and implement a BYOD policy. Although this document was developed for use by federal agencies, the general principles apply to anyone using a mobile device. The following recommendations can serve as a general guide to addressing security concerns inherent in personal device use.

Password Protection

In some industries, particularly the practice of law, password protection seems to be a given. However, it cannot be stressed enough that smartphones should always be password protected, and if possible, email entry should not be automatic.

WiFi

Many employees are simply unaware of the risks associated with using unsecured WiFi networks. A wireless network is “unsecured” if you can access the internet using the network without entering a password or network key. For example, a “hotspot” is a wireless network that is open and available for the public to use. They can be found in restaurants, airports, coffee shops, bookstores, hotels, libraries, and just about any place that the public gathers. However, an unsecured wireless account puts your passwords and personal information like social security numbers or credit card information at risk.

Cloud Storage

Employers need to explain to employees exactly what “cloud” storage means in terms of their work. Some employees may think this merely refers to the iCloud used by Mac and Apple owners to store iTunes, photos, and applications. However, “the cloud” generally refers to websites such as Dropbox, Skybox, and Googledocs, which store documents online. Although it may seem harmless to an employee to store a work document online in order to work remotely, it may then be available through an unsecured website. Employers should consider how best to manage this practice, particularly considering how many people work remotely from home or while traveling.

Corporate Profile

Each industry is going to have its own particular BYOD concerns. For example, doctors, other healthcare providers, and even their legal representatives may access patients’ confidential medical records and financial or insurance information via their personal smartphone or tablet remotely. Thus, for the health industry, HIPAA and other privacy regulations are obviously implicated.  Each corporation should mold their policy to the type of information that employees may access on personal devices, keeping in mind the industry-specific regulations that deal with protected information.

E-discovery

Lawsuits typically result in parties seeking to discover relevant electronically-stored information. Allowing employees to use personal devices will broaden the universe of potentially discoverable information. As employers rely more on BYOD, e-discovery will become more difficult to manage. Thus, employers should plan ahead for the collection and preservation of work data that may be stored on personal devices.

Personal Privacy

Finally, employers should not only attempt to eliminate risk by being clear in their BYOD policies as to what is company data, and what is personal, but also by educating employees as to the technical protection that is available for both types of data. For example, if password protection is advised in a BYOD policy, but not explained, some employees may fail to use it properly. They may use too simple a password or not change it frequently. Additionally, technological advances or updates such as iOs 7 MDM could serve to limit exposure.[5] MDM, or Mobile Device Management, is the technology that companies use to try to segregate the corporate and the personal realms on mobile devices. This segregation “firewalls,” or creates a technological line, between what is personal and what is corporate. MDM allows employers to draw a clear line, by requiring employees to use a certain application for work purposes. If employees are educated on technological innovations as they occur, they can take advantage of technology such as iOs 7, which offers greater privacy protection.

Smartphones, tablets, and personal laptops are here to stay. Employers and employees must work together to incorporate them into the workplace while preserving privacy and security.