Bring your own device (BYOD) has become increasingly popular in the business world: A March 2012 survey found that...
61% of enterprises allow employees to use their own devices when conducting legitimate business activities.
It's easy to understand why. Each device employees buy for themselves is one the organization doesn't have to provision, maintain and support. In addition to saving dollars and resources, an enterprise BYOD policy also improves employee satisfaction because people generally prefer using their own devices. It's unusual for a business idea to emerge that both enhances service and lowers costs. As a result, the popularity of enterprise BYOD is almost certain to flourish.
As organizations move to embrace the trend, however, it's important to consider how traditional security controls intersect with BYOD. We know by now that security policies need to be revisited in light of usability considerations during an enterprise BYOD deployment, but one area that is often overlooked is employee data privacy.
The BYOD policy should address the privacy aspects of any specific monitoring, security or other technical controls the organization implements.
Why does privacy matter when it comes to BYOD? First, employees hate invasive security. A recent survey conducted by Harris Interactive for Fiberlink found that 82% of users are "concerned" or "extremely concerned" about employers tracking their Web surfing activity, and 86% are similarly cautious about bosses deleting their data. These potentially invasive measures correlate to reduced employee BYOD support, undermining one of the biggest reasons organizations adopt these initiatives in the first place. Crafting an enterprise BYOD policy can also sometimes put businesses in unfamiliar legal territory. As a result, the employee privacy factor means that organizations must involve a wider operations berth than they are accustomed to when making IT-relevant decisions.
Who to invite to the BYOD planning table
It's important to recognize that the standard security controls that organizations employ to protect corporate assets can have unforeseen consequences when applied (without modification) to an employee's personal device. Before fully embracing BYOD, there needs to be extensive planning and forethought, and this includes inviting a wide segment of stakeholders to the table when discussing how to implement enterprise BYOD policies and standards.
Organizational leaders must think through how their employees will handle information on a personally owned device during a legal case. Specifically, it's important to remember that if an employee undertakes business activities using their own device, that device -- and the data on it -- could very well be discoverable during a legal proceeding. That situation would require employees to surrender the device for examination. To analyze these nuances, you'll likely want corporate counsel to be part of your enterprise BYOD policy reviews.
Next, consider how the traditional tools that keep corporate assets secured can have problematic consequences when applied to personal data. Oversights, such as access monitoring of websites visited and device location services, are usually fair game when using a corporate-provisioned device, as are routine controls such as deletion or encryption of data. But should these security controls be in effect when actions are performed from a personal device during the employee's off hours? What about when that data includes an employee's private information?
The point is, there are ethical, compliance and potentially legal ramifications to monitoring personal communications and accessing/modifying personal data. This means that, in addition to corporate counsel, organizations should also include stakeholders from HR and the compliance department during BYOD policy planning.
Getting the privacy side of enterprise BYOD right
There are a few key privacy aspects that you'll want to address immediately. The first (and arguably most important) is informed consent for how the organization accesses the information on any employee-owned device. Business leaders need to make sure that any time the organization accesses information on an employee's device, it is done with the employee's knowledge and agreement. Ideally, an enterprise BYOD policy would specifically make these notifications mandatory and unambiguous.
More on enterprise BYOD policy
Developing an employee-centric BYOD policy
Data protection considerations in the cloud and BYOD era
The BYOD policy should also address the privacy aspects of any specific monitoring, security or other technical controls the organization implements. For example, if the organization intends to use geolocation services to help find a lost device, employees must be notified. Similarly, if the organization decides to monitor employee communications, the BYOD team must discuss the potential ramifications of doing so.
It's important to think through what disciplinary actions would be taken, should violations be discovered. What if the organization unearths conflict-of-interest issues, such as an employee doing work for a competitor on the side? Under what circumstances is the organization required to notify law enforcement? What if an employee accesses pirated or illegal material? The legal and compliance teams can help guide these situations.
The development of a comprehensive, risk-averse enterprise BYOD program is not easy, and balancing usability and security considerations is difficult enough already. It's important to keep in mind, however, that the potential impact of the BYOD policy on employee privacy bears at least equal consideration.
About the author
Ed Moyle is a founding partner at New Hampshire-based information security and compliance consulting firm SecurityCurve. Moyle previously worked as a senior manager with Computer Task Group Inc.'s global security practice and, prior to that, served as a vice president and information security officer at Merrill Lynch Investment Managers.