BYOD: Technical, Security And Legal Implications

“BYOD” (Bring Your Own Device) is real and not going away. Indeed, it is a discussion that gets a lot of airtime these days among technology executives (i.e., CTOs, CIOs, CSOs) because users are demanding the productivity and convenience gained from using their mobile devices for work. Thus, many organizations are beginning to make serious IT policy and mobile device purchasing management decisions driven, in part, by this employee demand.

According to several market studies by both analysts and by market players, upwards of 90% of employees currently bring and use their own devices at work, and close to 40% already use their personal devices for work-related tasks. Around 65% of tablets in the workplace belong to users. So it is easy to see why, regardless of organizations’ desires, some form of unofficial BYOD already exists at many companies. Sometimes it’s better to join the trend than to fight it.

“BYOD” may stand for “Bring Your Own Device,” but the implications are broad: When employees use their own devices on the job, they’re also bringing their own technology and behavior in ways that can have a profound impact on corporate technology, security, governance and legal affairs.

Many companies are looking to embrace some form of the BYOD trend because employees demand it: As the lines between work and home become blurred, BYOD allows staff to integrate the two spheres of their life conveniently. Indeed, in many developing economies, BYOD is the de-facto norm. For more mature IT organizations, cost is a key factor that is holding implementation back.

There are of course some company leaders who are convinced that the BYOD trend reduces complexity and lowers the cost of managing mobility. If anything, there is a potential long-term savings, but in the immediate and near future, companies will likely have a higher up-front expense for implementation – especially where new equipment and software may be necessary. Of course, as IT systems are ready to be upgraded, taking advantage of systems and solutions that integrate BYOD management features is a smart move.

Technical, Security and Legal Issues

BYOD presents many technical and security considerations, which can be mitigated with a well-designed implementation plan. However, scope management is critical, and requirements should ultimately be driven by balancing user convenience with the business needs of managing productivity and security.

Technical considerations include deciding which device types and device operating systems will be allowed and supported (most mobile operating systems have some form of BYOD capabilities, either native or requiring a third-party app), what apps may be installed and used, what current IT systems may be accessed and how data is stored.

Security considerations typically relate mostly to data privacy and access. Since one physical device contains both personal and company data and can connect to public systems and private corporate systems alike, many issues and risks may arise with respect to maintaining secrecy and limiting access to the employee’s and the company’s data and systems.

Unlike many traditional IT implementations and user-level system provisioning, with BYOD, an organization must think about both what is needed by the company (e.g., securing corporate data on a non-company owned device) and what is needed by the employee (e.g., securing personal data on a non-company device that regularly accesses company systems).

Legal and risk-management considerations are also paramount to ultimately implementing and enforcing a good BYOD policy. Organizations must notify and educate employees about the reasons and benefits for having the policy while educating them about risks and limitations. Examples include limitations on use, such as disallowing any jail-broken devices.

Best Practices for Managing BYOD Risks

For companies that want to take a proactive stance to implementing good BYOD policies, it is imperative that employees are trained so that they’ll be aware of the limitations and issues, as well as knowing their obligations under the company’s BYOD policy. It’s also crucial to have buy-in from the top down: Managers should actively support and enforce the company’s BYOD policies to demonstrate the company’s commitment. This engagement helps to create a security-focused company culture.

The right plan around the scope and implementation of a good BYOD policy is important for fast adoption, easy management and overall high user compliance ratios. An ideal plan leverages commercially available solutions to manage many of the technological and logistical requirements involved in allowing users to maintain and access corporate data via a personal device. This can help keep BYOD policies well scoped and well implemented.

The separation of work and personal data and use is another important foundational principle in maintaining a successful BYOD policy. A sound plan also includes distinct policies to help companies manage user behavior and address access control, technology housekeeping tasks and data disposition requirements.

The technical and security strategy related to the BYOD policy must clearly define and address the specific types of devices and security protocols that are supported, and should outline policies and procedures for dealing with malware and lost devices, including ensuring that even the most basic BYOD policy has remote data wiping capabilities.

A well-designed BYOD strategy should include an Employee Acceptable Usage Agreement from HR and comply with all applicable privacy guidelines, including HIPAA, PII and PCI. Organizations should map out an eDiscovery strategy that outlines how legal holds will be handled in the BYOD workplace, detailing how memos are to be retained and how data will be gathered to respond to discovery requests.

To manage the legal risks of BYOD, the legal department should focus on employee (user) education about the issues and risks to personal privacy and to corporate data confidentiality. Training is a vital component of that effort, as is setting limits that balance the need for workforce convenience against risk management objectives.

Alternative (baby-step) strategies are also options. One such strategy is to provide employees with devices that are primarily used for business but allow employees to engage in “reasonable” personal use. This strategy expands employer control and enables stricter management of portals, security and device configuration. It also has the downside requirement of forcing employers to provide more extensive user IT support.

The Bottom Line on BYOD

BYOD is here to stay. As technology continues to take a prominent role in both work time and leisure time, employees will use their devices for both purposes. The question that remains is how companies will handle this emerging phenomenon.

Companies that design and implement sound BYOD policies, exhibit executive support for the program, educate their workforce and anticipate and address the risks associated with BYOD will be well positioned to negotiate the challenges of a rapidly evolving modern workplace.

Alon Israely, a licensed attorney and Certified Information Systems Security Professional, leads the Strategic Partnerships at BIA. BIAs TotalDiscovery is the first on-demand, cloud-based integrated Legal Data Preservation and Analysis Solution available. With no software to install or hardware to provision, TotalDiscovery can be utilised immediately, with no extensive training or configuration required. TotalDiscovery was designed for cases of all sizes, from a few custodians to thousands. With its unique, flexible and predictable pricing model, no up-front costs and instant availability, it was designed with small and medium size cases in mind, while its advanced features, like Enterprise Connectivity, cater to the needs of larger enterprises.