BYOD (Bring Your Own Device) to work is becoming a common practice. The ABA, who jokingly- I think- referred to the trend as “Bring Your Own Disaster,” reports that more than 60% of employees use a personal device for work. BYOD refers to a policy which allows or requires employees to use their personal devices, such as smartphones and tablets, to perform job responsibilities and access company data or applications. Having a smart BYOD policy appears to have many advantages for both employees and companies including:
- Employees like it because they are comfortable on their own device and do not have to carry more than one device.
- It can decrease corporate costs because the employee pays for the device and the data service which, as we are all aware, can be expensive.
- It can decrease training costs because employees are already familiar with the technology.
- It may increase productively, and client satisfaction, because employees can work on the weekend and after hours.
However, as with most technology, there are numerous risks to be considered and managed.
Keep current on technology
Before you can mitigate the risks, you have to know what they are. For more on risks, see CRN’s “Top 10 BYOB Risks Facing the Enterprise” here.
NC requires that lawyers keep abreast of changes in the law and its practice, including the benefits and risks associated with technology relevant to the lawyer’s practice.[1] So lawyers do not have the luxury of burying our head in the sand and hoping everything is okay. Instead, we are mandated to remain current in rapidly changing technology related to our practice. It seems to me this mandate would include investigating ways to protect data in light of the BYOD trend.
I recently read an article, Millennials Don’t Care About Mobile Security, and Here’s What to Do About it, by Omar Eiferman, which I though provided an interesting suggestion: separate personal and corporate data on employee devices used for business utilizing multi-persona virtualization.
Eiferman explains:
Multi-persona virtualization creates multiple user personas at the operating system level on a single smartphone. This means a Millennial could have three or more separate personas: one for general use, one for sensitive personal applications such as finance and health, and one persona for professional use. Because personas are separated at the deepest level possible, malware on the personal persona could not get to the professional persona. Yet, a user can switch between both personas in seconds.
Rather than using blacklisting and other draconian measures to secure the entire phone, IT can simply manage the professional persona… Multi-persona virtualization would allow IT departments to manage the context in which apps are used – without controlling what employees do on their personal personas.
I unfortunately do not know enough about multi-persona virtualization (except that is sounds interesting) to advocate implementing this measure or not, but I included it because I thought it was a great example of the security risk management options available. Another security measure I came across: The employee’s device may be remotely wiped if the device is lost or stolen, the employment is terminated for any reason, or a breach is detected. The important thing is to evaluate and implement security measures which adequately mitigates the risks associated with BYOD.
Implement BYOD written policy
Once you, or your IT department/consultant, determine the best practices for security risk management in your firm, the next step is to develop and implement a written BYOD policy for employees. You would likely want to address, among other things, the following: (1) acceptable and unacceptable uses; (2) the devices which are allowed; (3) who will address connectivity and configuration issues; (4) whether the company will provide reimbursement for some of the cost for the device and/or data plan; (5) who will own the applications and data; (6) security issues including: password protection, encryption tools, data storage on the device, firewalls and use of private networks vs. free public Wi-Fi; and (7) an exit strategy if the employee leaves the company.
Once the policy is in place, consider drafting an agreement for employees to sign indicating they read and understand the policy. And after implementation, don’t forget to educate the staff regularly on the policy and, most importantly, enforce it.
Employee-owned devices at work can save the company time and money. However, threats to a company stemming from these devices “can be as complex as a sophisticated malware attack designed to snoop on an employee’s browsing activity or as simple as a lost phone in a taxicab.” [2] Given the benefits and risks and the high number of employees bringing their own devices to work, it may be time to think about developing a BYOD policy.
[1] N.C. Rules of Prof’l Conduct, Rule 1.1, Comment 8.
[2] http://www.crn.com/slide-shows/security/240157796/top-10-byod-risks-facing-the-enterprise.htm.