BYOD / Bring Your Own Device (Disaster) – Convenience before Compliance

BYOD (bring your own device) refers to employees who bring their own computing devices to the workplace and they are permitted (or pull rank) to connect to the corporate network.

It is at this point that many CIO (Chief Information Officers) or their counterparts will draw the line. For others they will see this as an evangelical moment to engage the latest and greatest consumer devices.

As stated above most BYOD are ‘Consumer’ grade devices, and either lack the management tools to allow a business to manage them and ensure policy and compliance adherence, or more to the point struggle with the demarcation lines on private ownership and mixed use mode exercised by the owners.

What only a few years ago would have been unheard of is now the norm. Corporate information being held on personal devices residing alongside the Home Banking mobile application and Angry Birds game, all residing on an unencrypted devices that would take an amateur 5 minutes to hack. It doesn’t stop at Smartphone’s and Tablet devices, personal computers abound are as likely to be used today as the more prevalent mobile device. That does not make them a safer option for businesses.

Much blame is placed on ‘Generation Z’, the 16 to 24 year olds enter the workforce demanding and expecting such adaptability and flexibility in device use. Well let’s put that one to bed straight away:

Computacenter carried out research that produced clear results that this is not the case. Quote Barry Hoffman, HR director: “The idea of this always connected, socially mobile and technologically demanding generation entering the workplace is something of a myth.”

Despite which or perhaps complicated further by such contrary insights, this remains a veritable minefield for business large Enterprises let alone SME’s (Small Medium Enterprises) without the investment budget of their larger brethren.

If large Enterprises are struggling with the management and control of these devices then smaller companies should reflect long and hard on their risk exposures if they venture forth.

A recent survey by Document Lifecycle Management Specialist firm Litéra Corp, Mobile Device Users Survey, makes the size of this issue frighteningly clear. Quote:

“96% of business professionals polled are using mobile devices to store, access and send sensitive material, and the majority are doing so without e-mail encryption or metadata removal, thus posing significant security risks to their organizations.”

Forget the brand war or whose device is more secure or better managed. Although it is worth stating that devices running the Google Android operating system are regarded as a veritable malware platform that leaks data, and Apple iOS devices cannot be cleanly wiped without destroying them. Highlighting just a fraction of the challenge facing businesses.

The reality is few organisations are even confronting the issue objectively let alone containing it. If they don’t then it will be only a matter of time before there is a data breach that will impact customer confidence and trust. When this hits the bottom line even senior exec’s will have to wake up to their gross oversight.

In many organisations the trend started with senior executives. The fact that much of the hard work in organisations to meet compliance and policy obligations is now being undermined by the very office holders who prescribe policy and are obliged to ensure compliance is an interesting reflection of what technology is doing to society. It is the senior executives who started the rot in many companies with their demands, which few IT departments could say no to, for access to corporate information resources with consumer convenience devices before the business could evaluate the risks and implement correct adoption procedures, if at all.

This does not mean these devices cannot bring benefit to the business, the issue is business is increasingly putting convenience before compliance.

So what can businesses do?

1. Risk analysis – At least evaluate the risk so you know what you are getting yourself in for.
2. Only use devices that can apply Policies to at least ensure these devices can be – Password protected with minimum of an 8 digit password and Remotely wiped enablement.
3. Have a data/device breach response plan in place (it will happen so at least be ready).

For SME’s (Small Medium Enterprises) even these basic measures will sound like a challenge. But they need not be. If you are using and so dependent on mobile devices then you should be considering a proper business grade messaging and information management system. Microsoft Office 365 E3 plan represents a cost effective solution that would go a long way towards remedying this. For example:

• The ability to manage r emote devices as per Action B above is a few clicks away.
• Document access controls can become a simple exercise.
• Disaster recovery and business continuity is built in.
• Communications are encrypted.

Oh yes and you get a copy of Microsoft Office thrown in, with home use rights so you can protect your business by running up to date office applications which then gives you access to third party tools that can further strengthen your Data Lifecycle Management.

As with the old analogy, there is little point in shutting the stable door once the horse has bolted, so action is needed now. For most companies they are living on borrowed time as the preverbal horse or horse thieves have yet to notice the door is open. That is just a matter of time.

The frightening thing is though for many companies they will not even know that their horse has already bolted.