So you’re looking to improve efficiency and lower costs without sacrificing your security or litigation readiness? Well here’s a trending IT solution, and all the important points you need to know to successfully implement it. It’s referred to as a BYOD policy, or Bring Your Own Data breach Policy. No. Device. Bring Your Own Device Policy. Sorry about that.
Seriously though, there are some problems with it.
The Bring Your Own Device trend is meant to save on costs and satisfy employee’s desire to use exactly the kind of device they want, the way they want to use it. However, the security risks and complications with such a practice have been discussed at length. If you are looking to implement such a plan you need to be up to date with the risks that are making news all the time. Most prevalent risks include:
- –“Bad leavers,” basically employees upset and leaving the company with the intention of doing harm or spreading sensitive company information
- –Extensive diversification of technologies that must be tracked and serviced, which means increased device management costs and complexity, both in functionality as well as security
- – Cross-pollination of passwords, where an employee’s password they use for other things in their life are identical to the one they use for their personal phone. A security breach in their under-protected home now could mean a security breach for his/her whole (thought-to-be) well protected company.
It Gets Worse …
A study by Information Technology Intelligence Consulting and security trainer KnowB4.com highlights that a large amount of companies utilizing a BYOD policy (53%) are unprepared to deal with security breaches on those devices. So even if a security breach occurs, the majority of companies are not prepared to properly respond. At least you can tell yourself that where it really counts these security concerns are probably being addressed, like in, say, HIPAA regulated health care organizations. After all these companies deal with things like your SSN, name, address, family information, basically all the info someone would need to gain access to your financial information or steal your identity.
Well, you can tell yourself that….
A recent study by the Ponemon Institute on Patient Privacy and Data Security reports that 88 % of health care organizations allow their staff to use their own devices to access networks or enterprise systems, yet half of these organizations are not confident the BYOD devices are secure. That lack of confidence may be because, according to the study, there has been a 100% increase in criminal attacks on healthcare organizations since 2010. This Market Watch article expounds on how disturbing these findings are.
Complications for Litigation
Even beyond the security concerns out there for BYOD policies, there are some serious implications for eDiscovery and litigation readiness. Most judges assume that a corporation’s information is always under its possession, custody, or control, and therefore subject to discovery, but the actual preservation and collection of that data can get complicated when located on an employee’s personal device. That device may contain personal data that is legally protected and should not be accessed by IT personnel looking to preserve relevant ESI on the device. Even once they are clear to do so, collecting information from the vast array of devices that populate a typical BYOD landscape will certainly slow things down and make it more costly; the wide range of tools and expertise needed to deal with the variety of hardware and operating systems is a serious source of complication. While internal shared drive servers and Outlook servers used to be the go-to for relevant ESI, it’s now more commonly found across the many different phones and tablets being used by employees, often with no back-up of that ESI anywhere.
We have a policy for that
It’s important for a company to put down in writing and effectively get into everyone’s brain a cohesive and well thought-out policy concerning BYOD use to get around these issues. However, too strict a policy could reduce an employee’s wish to participate in the program. You could just circumvent that by making such a program mandatory, as some companies have in the past, but such an approach comes with its own set of risks, perhaps obviously. Most policy makers will opt for trying to strike that perfect balance between specificity of restrictions and incentives for participation. Here is a guide that looks specifically at health care industry best practices. This one has a few best practices set out by an IT manager. One thing that needs to be considered when drafting a policy regardless of the best practices you adhere to is the need for regulation and compliance at the human level. Setting out specific penalties and following through if/when policy is breached can help, but so too can incentives for good compliance, such as better options or data coverage. In any case, something to remember is that the law has not fully shown us what the best policies are yet, because the trend is still too new in that respect. Take a look how Policy trends have changed over the short time that BYOD has taken hold on a large scale.
What’s the BYOD policy that works (or fails) at your company? Let us know on twitter @sitelogicny #BYODisaster