The business benefits of bring-your-own-device (BYOD) programs have been well documented, with cost savings and productivity boosts often touted by BYOD proponents. But while mobility definitely has its upside, it's also important for companies to remember the numerous security risks around BYOD, according to Gretchen Herault, vice president of site standards and user safety and deputy chief privacy officer at Monster.
Herault was in Boston earlier this month at the 2014 Governance, Risk Management and Compliance Summit to deliver a presentation titled "BYOD policies: Addressing the security gap with monitoring and enforcement strategies." Following her presentation, Herault joined SearchCompliance editor Ben Cole to further discuss BYOD security risks and steps companies can take to protect corporate information stored on mobile devices.
What are some of the biggest BYOD security risks that companies should be concerned with?
Gretchen Herault: I would say one of the top risks is really knowing where your data is, and being able to control that from a security perspective.
You spoke about the importance of BYOD policy. What are some of the benefits of having a BYOD policy in place, and what are the characteristics of a good one?
Herault: For a company, it allows them to get their arms around exactly what employees are doing and get control of those security and privacy issues that they may have. In order to do that, they need to be explicitly clear about what they want from their employees in terms of behavior, what's permitted, what's not, what they are going to pay for and what the employee will be expected to pay for themselves.
Do tools such as encryption and containerships work? Are these just fads, or will they continue to be beneficial?
More from the GRC Summit
Advanced threats force proactive approach to risk management
For modern business, converged approach needed for information risk management
Herault: Those are definitely beneficial. I would say encryption would be a baseline, and having a VPN in place is also really helpful. In some jurisdictions, encryption helps avoid the reporting requirements of a data breach. It addresses some of the security regulations that are in place, particularly in the U.S.
Where does employee privacy fit into all this? How can companies ensure, through BYOD policy, that privacy is not going to be an issue?
Herault: A company will probably have some kind of app or software installed on people's devices in order to track the location of the device, which implies that they are also tracking the location of the employees carrying it with them in their pocket, briefcase or purse. There is this question of employee monitoring, and if that is permitted.
It's really important for companies to understand those issues in their employee environment. If they have union employees or if they operate in a jurisdiction that gives employees greater privacy rights, then they will have to get consent from the employees.