Employers are learning lessons the hard way, as the failure to introduce effective bring-your-own-device (BYOD) policies from the outset, is starting to catch up. While the BYOD trend may have plateaued and new strategies to meet the demands of the business and expectations of individual members of staff are emerging, this legacy of consumerisation will remain for some time to come. In the meantime, critical systems and confidential information continue to be exposed to data loss, malware, hackers and espionage.
BYOD smartphones are frequently used as data exfiltration points when employees leave. But conducting an internal investigation or responding to court orders is not always easy when the device is not owned by the company and contains both personal and corporate data. As a result, employers have sometimes found it difficult to determine whether corporate data has been taken without permission.
The dilemma of safeguarding the rights of a member of staff against the wider obligations of an employer presented a particular challenge for one organisation. As a major sports club found to its cost, a lack of clarity on the separation of personal and corporate data and usage can cause both data protection and access issues. The club had originally issued a full set of IT devices to key staff, but also allowed individuals to use personal computers and devices for work. A senior member of the club's management opted to work exclusively on his personal devices, which meant data was only backed up to the corporate network sporadically. However, when he left the club, it quickly became clear that up-to-date copies of confidential and important files were missing. The individual objected to his personal devices being reviewed by the ex-employer, resulting in a costly legal battle. In the end, the club discovered that the ex-employee had stolen significant caches of confidential data, including medical records of players.
In a separate case, an employer decided to take direct action when it became clear its BYOD policy had failed to protect confidential information. Following the resignation of a member of staff who had been working on a very sensitive project, the employee decided an initial attempt had been made to delete the relevant data. However, the data resided on the individual's personal smartphone and the ex-employee refused to grant access. The employer used their mobile device management platform to remotely wipe the entire device. As a result, the former employee lost much of his personal data and subsequently made a claim against the company for its destruction.
Centralised mobile device management play an important role in controlling devices but, in reality, there no guarantees they all have the latest software updates installed. The lack of such control has increased the risk of staff unwittingly infecting the device and introducing malware that exposes confidential data, either on the device or corporate systems.
Corporate usage on personal devices must be isolated and greater inroads must also be made in encrypting data held on the device or while accessing corporate systems. The same strategy should also apply to other peripheral devices, such as USB storage, where clear boundaries are equally important. One company providing services to financial firms allowed employees to use their own thumb drives to store business information. Months after a project with a major international bank had been completed, lawyers at the bank received a drive in the post, accompanied by a note stating that the device, which clearly contained confidential bank data, had been found on a train. Following a forensic investigation, it was established beyond doubt which of the bank's vendors had lost the thumb drive and what data had been compromised. Ultimately, personally identifiable information for many bank employees was compromised. The vendor that had lost the drive had no idea the data breach had occurred because it did not track the use of personal devices. This kind of data breach has become a familiar story, which inevitably attracts the attention of the Information Commissioner.
BYOD has a key role to play in improving employee productivity and satisfaction. However, to reduce some of the inherent risks, learned the hard way by early adopters, CIOs must take steps to ensure such devices are governed by a strong framework that safeguards the integrity of data and corporate systems.
Seth Berman is executive managing director and UK head of Stroz Friedberg, an investigations, intelligence and risk management company