Understand the GDPR legitimate interest vs. consent dilemma

Devices Are Mobile, Is Your Security Policy on Board?

Scott Laliberte, Managing Director Global Lead, Emerging Technology Group

With 3.4 billion smartphones worldwide as of 2015 (and 78 percent of U.S. college grads owning smartphones), chances are your employees not only own one, but they’re also bringing them to work and using them to do work when not at their desks.

It’s the BYOD – Bring Your Own Device – movement. And while many employees may find this trend convenient – and the applications and cloud services that come with those devices certainly enable this convenience – the security risks do make employers worried.

Worry, of course, is best handled with information. Employers need to know exactly what the risks of BYOD are and deal with them head-on, by creating policies that address them.

These policies should address the obvious questions, and go beyond. How, for example, do you enforce usage policy on an employee-owned device, or handle forensics on incidents involving one, be it a smartphone, simple cell phone, tablet or notebook? It is not a simple task. Personal privacy and other ethical issues abound, in addition to technological ones.

A good way to start creating BYOD policy and addressing the security risks of mobile devices is by asking some basic questions:

  • Does your organization have the authority to seize and investigate the device?
  • Does it have the employee’s passcode and permission to use it?
  • Several mobile device management (MDM) solutions can provide controls on the device, limiting risk. Does your company have such solutions and does it have permission from the employees to use them on the devices?
  • Mobile apps are conduits into an employee’s device. Do you know what kind of apps are on an employee’s device?
  • Are those apps secure? Do they support strong authentication and protection of sensitive data?
  • Do those apps introduce risk to the device or to the data?
  • Are the apps accessing information from the user, such as geolocation and personally identifiable information (PII) that can create privacy or data security concerns for the company?
  • Do the apps introduce insecure services that attackers can take advantage of? In other words, are the apps, themselves, a weak link that hackers can exploit? Keep in mind that the more widely an app is used, the greater a target it becomes since it can yield greater rewards for the attacker.

Apps, of course, are only part of the problem. Many employees rely on cloud-based storage solutions that allow them to easily access or share their own documents via their cellphones and personal computers.

Companies need to ask similar questions regarding those services, such as:

  • Are employees allowed to use cloud-based storage solutions? If so, for all data, or certain types of data? What ensures the protection of data that is sent to the cloud?
  • If storing data in the cloud is too risky, how can employees access work material from their own devices? Is desktop virtualization practical for our company? What other ways are there to remove the data control point away from the device, so if the device is lost or stolen, the data is not jeopardized as well?

There isn’t one type of BYOD security policy. Each company must create its own, asking the questions above and designing a policy that provides the right amount of flexibility to its workforce without jeopardizing data security.

Do you have an opinion on BYOD? Please share in the comments.

1 comment