Feb 07 2013

BYOD Security: Don't Let Your Company's Data Walk Out the Door

Whether you believe BYOD is good or bad for companies to adopt, the one thing you can’t afford to do is ignore it.

While the buzz around bring your own device (BYOD) is reaching a fever pitch now, it has been around since the first wireless-enabled smartphone hit the streets and wandered innocently into the office in someone’s pocket or bag.

This scenario is precisely the primary BYOD use case that every company faces today. According to Nielsen data, almost half of all phones in the U.S. are now smartphones, which means many workers will want to connect to the company wireless network.

Workers will also forward some of their company email to personal accounts so they can read them on the train or give them extra attention over the weekend, which sounds like a productivity win for the company.

But think about the security implications: Potentially sensitive company information gets transferred regularly to personal devices that do not have the levels of security or encryption that company-owned devices are set up with.

Then staff wants to connect smartphones to the company computer, just to charge the battery of course. The computer is likely to see the connected phone as a storage device, a device that probably has over 8GB of space and probably a MicroSD slot for up to 64GB of additional storage.

While connecting a mobile device to the office computer to charge the battery might seem innocent, the potential for danger is great.

Since most of our employees are developers, it’s hard to stop them from working on code. When it comes to locking down access to code, we limit this to a few outside contractors who only have access to the repository code they are working on.

When it comes to client data, we have procedures and controls to protect our clients' data from accidental or malicious employee actions as follows:

  1. Our privacy policy and employee handbook forbid it and all customer support and other employees are informed about this verbally as part of their induction.

  2. Our employees do not have access to client data in our production box, unless they are permitted by their client contact to log into a client as part of their support, using an account and password provided by the client.

We even restrict "backdoor" database dump features, which are often used by developers to view client data.

Lastly, all the data is encrypted over https so sniffers should not be able to pick it up from the network traffic.

BYOD with a Twist

An alternative version of BYOD is where the company actively allows BYOD, specifies what data can and cannot be transferred to and stored on those devices and may require that an app or two is installed to give the device some level of protection. They may also insist that devices used for work purposes are registered with the company’s mobile device management solution.

Controlled BYOD can bring a number of benefits that mostly revolve around productivity gains. Every company is subject to some form of data protection legislation; legislation that makes company directors responsible for the security of the data they gather that includes people’s personal information.

Furthermore, many industries have their own set of regulations, usually revolving around the control of financial information or other data. SOX, GLB, HIPAA, and many others are just a few of the acronym compliance beasts that have to be wrangled.

It is hard to see how allowing company data to move onto a device the company doesn’t own can be a good thing if it has any chance of falling under any of the regulations and laws the company is responsible for adhering to.

Worried yet? Don’t be.

A clear policy is the cornerstone of your BYOD strategy. Tools to enforce that policy and staff training to make sure they are aware of the policy are equally important in keeping company directors out of court.

But if you’re still worried, perhaps the best solution is be to move to choose your own device (CYOD). This would let staff have the device they want to use but it would be supplied and owned by the company. That way there can be no complaints about the device being heavily loaded with security and control apps.

The key here is to think about BYOD and all of its variants and make a decision on how it can best fit in with your company’s culture and objectives. The one thing no company can afford to do is ignore it, because BYOD isn’t going away.


aaa 1