Does BYOD Increase Information Risk?

By Steve Durbin

We’re living in an always-on, always-connected society, where our mobile phones have gone from being simply portable telephones to serving as all-powerful communications devices. Unfortunately, many of today’s most popular devices weren’t designed for business purposes and therefore don’t offer the level of security provided with desktop and laptop computers.

Furthermore, the way our mobile devices are being used blurs the line between personal and business use. Potential risks include misuse of the device itself, outside exploitation of software vulnerabilities, and the deployment of poorly tested and unreliable business applications. This could result in disastrous consequences for businesses, including both financial and reputational damage.

In a recent webinar, I discussed the continuing bring-your-own-device (BYOD) workplace trend—a trend that is growing and doesn’t appear as if it will slow down anytime soon. In fact, a global survey by PwC reported that 88 percent of consumers use a personal mobile device for both personal and work purposes. Gartner has gone even further, predicting that by 2017, 50 percent of employers will require employees to bring their own device. Gartner also projects that by 2016, two-thirds of the mobile workforce will own a smartphone, and 40 percent of the workforce will be mobile.

Concerns about security breaches, intellectual property theft and data loss demonstrate that it’s essential to have a strategy for addressing mobile devices in the workplace. For example, a 2012 Ponemon Institute study found that in organizations allowing the use of mobile devices:

·         51 percent had experienced data loss resulting from employee use of unsecured mobile devices;

·         76 percent believed these tools put their organizations at risk; and

·         59 percent reported that employees circumvented or disengaged security features such as passwords and key locks.

Even without employees connecting their own devices to the organization’s systems, mobile device risk is substantial. If a BYOD program doesn’t already exist in your organization, you need to start thinking now about the risks—along with whether and how they can be managed.

BYOD and Personal Information

The protection of personally identifiable information varies widely by jurisdiction, with the European Union considered to have the most stringent data protection laws: Entities transferring PII outside of the EU must either comply with the data protection directive or face hefty fines.

While many countries are developing legislation in line with EU directives, the situation continues to remain fragmented. For example, a common gripe of business leaders in the Asia-Pacific region is the lack of a common policy on data privacy, while the United States treatment of PII is more reactive and varies widely by industry.

Organizations must be aware that it is possible for employees to transfer data across jurisdictions simply by carrying a device across borders on business. However, with BYOD, data can also be carried as an unintended consequence of employees’ personal travel if they use their smartphone or tablet for both business and personal purposes. The information security organization should consider the best ways to manage such risks, including implementing policies and awareness programs.

The same care and protection should be adopted for PII on a BYOD device as it would be for any other work system. For example PII must be destroyed when it is no longer required, it must be correct and should be available when required to respond to a data subject request.