BYOD: User Policy Considerations
Questions and key points companies should consider when establishing BYOD policies.
I've been talking about bring your own device (BYOD) and security risks a lot this year, and I expect that conversation to continue for quite a while. A lot of those conversations centered around the security policies and how employers and security departments can police devices that are owned by employees. Today, I'm going to look a little closer at the question of what employees are actually doing with the personal devices they use to access the company network and company data. Are employees doing the right thing to keep that information safe and secure?
The simple answer to that question is probably not. ESET recently conducted a Harris Interactive study and some of the findings included:
The employees aren't the only ones to blame here. The survey found that 66 percent of employers have never bothered to institute a BYOD policy.
BYOD has been around for as long as employees have been able to use their home computer to log into their company email account. The trend has now exploded with smartphones and tablets, and the variety of new security threats has brought the topic to the forefront of security conversations. The bottom line, the survey found, neither employers nor employees are doing much to practice security. This isn't just a problem for the company, but for the person who owns the device as well, who likely has plenty of personal information on his computer that he or she puts at risk.
Here's a great example at how lax we can be with our devices and security, from the ESET Threat Blog:
If you stand at the back of a commercial flight these days you can see rows of passengers staring at a wide variety of devices, sometimes running cute little apps and games, and sometimes running business critical processes. ... And I'm sure you've seen this scenario: halfway through the flight a user switches from super-critical pieces of corporate work to checking out the app they downloaded while waiting in the airport terminal. Obviously that's a potential problem: bored users looking for cool things to install on their hip new piece of hardware. Maybe there's a compelling reason to get that app, but is there a security context in place whereby this activity is vetted, especially when they are connecting that device to the company network? Beyond that, are basic measures in place to protect the data on the device if it falls into the wrong hands?
The Threat Blog goes on to say the worst violators tend to be senior staff who more often use the newest devices, who perhaps should know better or be more aware or caring about protecting corporate data. But as more people at all employee levels decide to use smartphones and tablets, the security problems are only going to get worse - especially if the devices are used by employees who otherwise wouldn't have access to a company-owned phone or laptop. Are they going to care or know the company's BYOD security policy (if there is one)? Is the security staff going to automatically think to educate those employees?
Either way, the time has come for employers to set up security policies.