Organisations evaluating ‘Bring Your Own Device’ options should carefully consider the risks, according to the senior vice president of ACE’s global cyber risk practice, Toby Merrill, and the director of privacy claims at ACE professional risk, Thomas Kang
Increasingly, companies are allowing their employees to access company information using their own devices. This trend brings with it significant benefits, such as lower cost and higher employee satisfaction, but also creates significant potential risk that every company operating on the cloud should consider. Bring Your Own Device, or BYOD, refers to the cost-effective and employee-friendly policies some companies have adopted to manage the risks associated with employees accessing confidential corporate data through the cloud on their personal mobile devices.
While there are a number of technology and security issues to consider, companies evaluating BYOD options should analyse the risks associated with the following issues.
Unknown Third-Party Access via Mobile Apps: When employees download mobile apps for their personal use, they also allow unregulated third-party access to any corporate information stored on their devices. These mobile apps may be pre-infected with malware that can exfiltrate sensitive company information from their devices.
Lack of Monitoring: Companies will want to have as much control over BYOD devices as possible — including capturing data leakage and usage. This results in a constant tension between employee privacy and the company’s risk-containment measures — logging and monitoring data in use and data in transit.
Device Management: This employee-company tension is especially clear with regard to device management policies. These policies might range from limiting which devices are supported, to determining whether or not BYOD devices will be subject to a device management program, to requiring passwords and additional security are needed. Companies may also determine the need to use “remote wipe” capabilities, where a single incorrect login could mean that all of an employee’s personal data – not just company data – is instantly erased. At a minimum, companies should ensure that employees have not altered the operating systems on their mobile devices before granting access to confidential information on those devices.
Data Management and Compliance: Companies subject to compliance obligations may find it not only difficult to convince auditors that their data is adequately protected, but also difficult to provide validation with evidence. As a result, information security teams will need a documented list of data management policies, along with a list of third parties and their data-storing devices.
Merging Personal and Company Time: Employees relying on their own devices at work tend to access their personal email and applications more readily, thus increasing the likelihood of engaging in personal activities on company time.