Does BYOD Increase Information Risk?

Posted 2013-08-02
BYOD and information risks

By Steve Durbin

We’re living in an always-on, always-connected society, where our mobile phones have gone from being simply portable telephones to serving as all-powerful communications devices. Unfortunately, many of today’s most popular devices weren’t designed for business purposes and therefore don’t offer the level of security provided with desktop and laptop computers.

Furthermore, the way our mobile devices are being used blurs the line between personal and business use. Potential risks include misuse of the device itself, outside exploitation of software vulnerabilities, and the deployment of poorly tested and unreliable business applications. This could result in disastrous consequences for businesses, including both financial and reputational damage.

In a recent webinar, I discussed the continuing bring-your-own-device (BYOD) workplace trend—a trend that is growing and doesn’t appear as if it will slow down anytime soon. In fact, a global survey by PwC reported that 88 percent of consumers use a personal mobile device for both personal and work purposes. Gartner has gone even further, predicting that by 2017, 50 percent of employers will require employees to bring their own device. Gartner also projects that by 2016, two-thirds of the mobile workforce will own a smartphone, and 40 percent of the workforce will be mobile.

Concerns about security breaches, intellectual property theft and data loss demonstrate that it's essential to have a strategy for addressing mobile devices in the workplace. For example, a 2012 Ponemon Institute study found that in organizations allowing the use of mobile devices:

·         51 percent had experienced data loss resulting from employee use of unsecured mobile devices;

·         76 percent believed these tools put their organizations at risk; and

·         59 percent reported that employees circumvented or disengaged security features such as passwords and key locks.

Even without employees connecting their own devices to the organization’s systems, mobile device risk is substantial. If a BYOD program doesn’t already exist in your organization, you need to start thinking now about the risks—along with whether and how they can be managed.

BYOD and Personal Information

The protection of personally identifiable information varies widely by jurisdiction, with the European Union considered to have the most stringent data protection laws: Entities transferring PII outside of the EU must either comply with the data protection directive or face hefty fines.

While many countries are developing legislation in line with EU directives, the situation continues to remain fragmented. For example, a common gripe of business leaders in the Asia-Pacific region is the lack of a common policy on data privacy, while the United States treatment of PII is more reactive and varies widely by industry.

Organizations must be aware that it is possible for employees to transfer data across jurisdictions simply by carrying a device across borders on business. However, with BYOD, data can also be carried as an unintended consequence of employees' personal travel if they use their smartphone or tablet for both business and personal purposes. The information security organization should consider the best ways to manage such risks, including implementing policies and awareness programs.

The same care and protection should be adopted for PII on a BYOD device as it would be for any other work system. For example PII must be destroyed when it is no longer required, it must be correct and should be available when required to respond to a data subject request.

Here are six key security practices that businesses need to follow:

·  Highlight the issues associated with accessing, storing and processing private information.

·  Provide clarity about which privacy rules apply, and specifically how they are affected by cross-border movement of data and the multitier nature of some cloud providers.

·  Include a high-level examination of the varying legal requirements in different jurisdictions.

·  Identify the roles and responsibilities in the enterprise that apply to private information.

·  Define an approach for managing private data and the way it is used on consumer devices.

·  Help the business understand how to respond to the requirements of regulators and data subjects.

What Can Business Do?

Time is critical, and businesses need to formulate a response to the growing BYOD trend with a sense of urgency. Focusing on the organization’s information as a guiding principle for considering risk can bring clarity to decision making, since it facilitates the definition of device-agnostic solutions that can be reused for other BYOD deployments. This approach must be weighed against the risk appetite executives have for enabling BYOD.

An information-centric perspective is absolutely vital to managing BYOD risk, keeping the focus where it should be rather than on the technical details. The proliferation of new devices and applications means that organizing a BYOD risk-management plan around a single technical solution can be too restrictive. In contrast, a focus on information is more likely to result in an agile, adaptable program.

Businesses can’t afford to stand still and allow mobile device adoption to run its own course, because it will tend to create new attack vectors and potential vulnerabilities in corporate networks. Enterprises need to stay one step ahead of the latest trends, mobile devices and related security risks.

By implementing the right working practices, use policies and management tools, organizations of all sizes can benefit from the advantages mobile devices bring to the workplace, while minimizing exposure to security risks.

Steve Durbin is the global vice president of the Information Security Forum, an independent, not-for-profit association that investigates, clarifies and resolves key issues in cyber-security, information security and risk management. His main areas of focus are the emerging security threat landscape, cyber-security, consumerization, outsourced cloud security, third-party management and social media. Durbin was previously a senior vice president at Gartner and is currently chairman of the DigiWorld Institute Senior Executive Forum in the United Kingdom.