By now, everyone in the business world knows what the four initials BYOD mean. But if not, it stands for Bring Your Own Device to work. This means that, for a variety of reasons, employees bring their smartphones and tablets to work and use them for work email, work assignments, and work-related Internet searches. As a result, securing the BYOD mobile environment in the workplace is a give-and-take proposition. The employee gives up control of the device, and in the process, the business takes over. The problem lies in how the employee mixes data on the device: there may be family pictures mixed in with confidential memos and other documents. So, thanks to BYOD, the protection of confidential corporate data can be the hardest job for a corporate IT department.
Since the human brain does not easily recall letters (both upper and lower case), numbers, and special characters, that comprise complex passwords, one must use encryption to protect confidential data. The downside to this complexity is that once an employee hands over his/her smartphone/tablet to an employer, the device becomes de facto property of the company.
Now, when an employee wants to access his/her personal data, he/she has to use an employer’s access control to use a personal device. This means no longer having spur of the moment selfies, Vine videos, or emails without stopping to enter a password first. The device becomes a burden rather than a helpful device for the end-user.
One way around this situation is to use cloud-based access. The employee only accesses his or her files or emails from a secure website. The employee is not allowed to download files or emails to any personal computers or other devices. I’ve always been a proponent of all or nothing. Either you lock down the device completely OR use the cloud – and using the cloud may make lock down unnecessary.
Locking and encrypting a device keeps nefarious people out, and in the event that a device is lost or stolen, it can be tracked and wiped safely. Having your data in the cloud keeps employee personal data safely separated from corporate data and ensures that access controls are kept in place. Nothing is cut and dry, of course, and if not done correctly, data can be stolen regardless of security measures.
Here’s an example: An employee can save documents, but not to his or her phone or any other device, and they can check their email. One problem that you’ll always have, unfortunately, is that the employee can print documents, and that’s why you need to train employees.
One problem that businesses don’t often mention is that personal devices may be confiscated during legal proceedings. As a result, personal as well as corporate data could be open to the evidentiary process. This means that silly photos or compromising photos can be scrutinized, personal usage and tracking software can be abused, and all becomes available for the legal system for analysis. This possible scenario makes the cloud look a whole lot better as an option – especially since it may remove the possibility of device seizure.
When it comes to BYOD, it’s up to the company to be an advocate for its employees. Companies should create and implement a “least privilege” strategy so that only employees who actually need access – to documents, assets, and devices – get it. (For more on this topic, visit this page on Wikipedia: http://en.wikipedia.org/wiki/Principle_of_least_privilege.)
As technology budgets decline and more companies add BYOD to their operational strategy, you may want to go one step further. Write down your BYOD policy, add it to your personnel manual, and distribute to all current employees. And during the hiring process, discuss your BYOD policy with candidates. There will be some positions where this becomes a very important issue: sales, customer service, IT, marketing, etc.
This advance notice will show that your company is ahead of the competition. Employees would rather be informed before the first day and the onboarding process begins – and a member of the IT team requests someone’s phone to add device administration rights to it. People have a very personal relationship with their smartphones, as you can tell by watching people walk, talk, or text without ever looking up. Taking control of their device may be too much for some employees to handle and could feel like an invasion of personal space.
But despite how you approach BYOD whether you are a small, medium, or large business, everything boils down to training. Employees must be trained on how to manage corporate data to ensure that it doesn’t fall into the wrong hands – and make sure that training takes place on a regular basis.
IBM has six tips for securing mobile devices in the workplace. Engage your employees and your management team so they’re on the same page regarding BYOD. Check out this link:
Image Credit: Naypong via FreeDigitalPhotos.net
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.