Bring your own device (BYOD) is the newest cyber security challenge for both IT professionals and businesses as a whole. While the idea of individuals using their own technology devices: mobile phones, tablets, and laptops, to perform work, is a boon for the individual and the business, there are a number of security concerns that arise with the introduction of this productivity increase. Both the individual and the organization must come to terms with these challenges.
Numerous statistics show that employees do not take the necessary security measures on their personal devices to justify storing or accessing corporate data from these items. As shown by Zixcorp in their infographic, 81% of employees use personal devices in the workplace, 91% of tablet users and 75% of mobile phone users disable auto-lock security. How can a company trust individuals with corporate data with such a wide spread lack of basic security concern?
Corporate leadership have fiduciary and financial responsibilities to their employees, investors, and customers to protect their data. With 113 phones lost every minute the math quickly resonates that we have a serious problem on our hands. Companies not only need to have policies in place, they must have education around the policies to make sure their employees follow the rules and understand why the rules exist.
Certain businesses have greater concern than others. Healthcare organizations for example must contend with the Health Insurance Portability and Accountability Act (HIPAA). This key regulation states that a breach may occur if unencrypted data is lost. Simple example: a nurse sends an email to a colleague discussing patient John Doe in Room 4 who just received his latest shot of morphine. The nurse needs her co-worker to update the medical record as she forgot before leaving her shift. This message, including electronic protected health information (e-PHI), now resides on her mobile device. In and of itself, this is a HIPAA breach. In addition, not only is it most likely unencrypted, there’s a 75%-91% chance that her device won’t even auto-lock leaving this e-PHI available to anyone that picks up her mobile device.
In the finance industry there are strict regulations as well, primarily surrounding Sarbanes-Oxley. Businesses have the responsibility to follow specific rules on corporate governance, internal control assessment and enhanced financial disclosures. With employees storing corporate data, and transmitting business related information via email, text, and image transmission (SMS), it grows much more difficult for organizations to track who has access to what, and where the information has gone. This creates substantial challenges to validate compliance when auditors arrive.
Companies must secure their data, not only for legal reasons, they must do so to maintain control over their intellectual property. Laptops are lost every 53 seconds, the chance that these devices land in the hands of competitors is too great to risk poor security. Take the recent situation where the U.S. Government “retrieved” the laptop of an ISIS fighter from Tunisia. This device stored large amounts of proprietary data that the leaders would not want their opponent to find. While this is a military/foreign policy example, it goes to the heart of the situation in corporate America.
While working with a global storage company we had a situation where a senior executive lost his personal laptop, a device he coincidentally used for all of his company business, a laptop where the employee never changed the default password. The information technology team had no policy in place to require this executive to secure his laptop, let alone encrypt the data. When the device was lost there was no way to know what he had on it, what security he had, if any, and no idea where it was last seen. Lack of company policy greatly exacerbates the risks of how mobile devices threaten corporate data.
There are substantial challenges presented herein. The good news, technology and service providers exist to assist businesses overcome these issues. Whether utilizing consultants for policy review/creation or implementing mobile device management (MDM) software, companies have means to acquire assistance. Organizations should ensure they have policies, process, procedure, and education in place; all of these actions will substantially reduce the risk of data loss through mobile devices.
Corporate leadership must take ownership for the growing security risk inherent with mobile devices. It makes sense to permit employees to use their own equipment as there are substantial productivity and efficiency enhancements with this model, not to mention cost savings as employees no longer need multiple devices to accomplish the same feat. As with all security concerns we have a tradeoff between security and efficiency, business leaders must acknowledge this fact and take action to protect their corporate data when mobile devices are involved.
Like Gungon Consulting on Facebook
Follow us on Twitter @Gungonconsult
Eric Jeffery has 20+ years’ experience with Information Technology including stints in the Retail, Aerospace, Defense, Hardware, Entertainment and Healthcare industries. Eric has a Bachelor of Arts degree in Economics from the University of Colorado at Boulder. Mr. Jeffery recently founded Gungon Consulting to help businesses solve the exact problems mentioned in this article. You may contact Eric at eric@gungonconsulting.com.
Gungon Consulting 
