Bring Your Own Device?
There is a recent trend to organizations adopting a “Bring Your Own Device” policy whereby employees can use personally-owned mobile or tablet devices to access privileged company resources such as email, file servers, and databases.
One of the benefits to the BYOD policy is that it generally saves the organization money with employees paying for some or all of the costs for the hardware, voice or data services, and other associated expenses. Employees tend to prefer a BYOD policy as it allows them to use the devices they prefer, rather than devices that are selected and issued by an IT department. Often this means BYOD devices are more cutting edge than the hardware that would typically be rolled out across an entire organization.
Left unmanaged, this practice can result in data breaches. If an employee loses a smartphone used to access the company network, untrusted parties could potentially access any confidential data stored on the phone.
The MIT Technology Review recently explored how IBM had to adapt after loosening restrictions on the devices its employees could use.
In 2010 IBM adopted a BYOD policy and now has up to 80,000 employees accessing internal IBM networks using their own smart phones and tablets. The challenge has been for the IT department to establish guidelines to teach employees how to use these devices safely and securely. The guidelines detail specific applications or “apps” which should be avoided because of security risks. On the list of banned apps are public file-transfer services such as Dropbox, which could potentially allow confidential information to get loose. The department also prohibited the auto-forwarding of company e-mail to public Web mail services or using smart phones to create open Wi-Fi hotspots, which make data vulnerable to snoops.
Now, before an employee’s own device can be used to access IBM networks, the IT department configures it so that its memory can be erased remotely if it is lost or stolen, disables public file-transfer programs like Apple’s iCloud, even turns off Siri, the voice-activated personal assistant, on employees’ iPhones.
The American Civil Liberties Union recently called out Apple for collecting extremely personal data when Siri is activated, including your “Voice Input Data” and “User Data” to potentially be shared with “Apple’s partners who are providing related services to Apple.”
IBM is not the only company facing these challenges. Companies of all sizes are adopting BYOD policies.
The important step is for organizations to create a clearly defined policy for BYOD that outlines the rules of acceptable use and states up front what the expectations are with regard to minimum security requirements. The policy should also detail the process for data retrieval in the event that an employee is let to or leaves the company.
Read more here: http://www.technologyreview.com/business/40324/