One of the biggest obstacles for business owners in preventing cyber risk liability, data breach, and other privacy claims is BYOD (Bring Your Own Device). The concept of BYOD is causing confusion and anxiety for many business owners. What exactly is BYOD, what cyber risks does it create, and how can your business mitigate these risks?
When Apple released the iPhone in 2007, employees started asking why both their business and personal needs could not be met on one device. This trend has continued with newer operating systems like Windows, Android, and now Blackberry 10.
BYOD (Bring Your Own Device) is just as it sounds. Many employees are now bringing and using their own portable devices including smartphones, laptops, and tablets to conduct business for their employers. The days of giving employees company issued Blackberries that are 100% company controlled are dwindling.
Consumers are in charge and that can cause problems when sensitive company information is used on personal devices.
What caused BYOD?
Several years ago when consumer mobile devices became popular, employers would often furnish a device that gave the employer access to the data on an employee issued device. That was fairly straightforward. Many employees carried two devices; one for personal use and one for business use.
This shift will continue and more and more employers will cater to their employees by allowing them to use their own devices for business and personal use.
BYOD - Who owns the information?
The main issue with BYOD is that it can be hard to determine who owns or has access to the information on the device. It can be very perplexing for business owners as they try to balance privacy and flexibility for their employees.
There are many complex issues that BYOD can cause such as:
- Can an employer remotely wipe all of the data from an employee's device?
- Are there dual use device policies in place?
- Are the devices encrypted and password protected?
- Have employees consented to a mobile device policy?
- Are employees also using cloud based application to store company information?
- Could using a mobile device after normal business hours cause a wage & hour issue?
- Could trade secret information be passed?
All of these questions can pose multiple problems for an employer.
What should a business do to protect themselves?
The trend of BYOD will continue to rise so it is important for businesses to implement strategies to mitigate risk from BYOD as much as possible. Here are some suggestions on how a business can best protect their data with a BYOD policy in place.Here are the top 10 recommendations for a BYOD program:
1. Not every employee needs business access with their device
Remember that more employees equal more risk.
2. Install mobile device management software on dual-use devices
Companies can use encryption, passwords, remote wipe, and lock down after a number of attempts, anti-malware, and device locators to better protect information
3. Implement dual-use device policies
Who are the users? Who is eligible? Install technical/security controls, restriction of use, corporate access/monitoring/deleting authority, report loss or theft, and who is responsible for maintenance.
4. Require consent to company activities when using personal devices
This is vital to protect against invasion of privacy concerns.
5. Restrict employees from using cloud-based applications
Dropbox, SkyDrive, and Google Drive are some of the popular cloud-based applications.
6. Ensure use complies with wage and hour obligations
When employees are using devices are they "off the clock?"
7. No use by friends or family
This one is fairly obvious.
8. Provide adequate training for employees using devices
More training + more knowledge = less cyber exposure.
9. Implement a security incident response
Was the device encrypted, wiped, protected by a secure password?
10. Revise exit interview process
Employees may have trade secret information on devices.
The bottom line
The difficulties of BYOD will continue as employers continually look to balance protection of business data in conjunction with employee’s desires for choice. Employers can make BYOD policies work for all parties if they are proactive and specific. Understand your exposures with employee used mobile devices and have a plan of action to mitigate your potential liability.
Brent Kelly is a property/casualty agent for Clemens Insurance in Bloomington, IL. He specializes in cyber risk exposures. You can read Brent’s blog at www.brentmkelly.com. You can connect with him on Twitter and LinkedIn.
Cybersecurity should always be a top priority in your risk management plan. ClearRisk's Claims, Incident, and Risk Management system can help you manage these risks and many others. Our system is built on the #1 cloud-computing platform in the world, Salesforce, who have shown that 94% of users who switched to cloud-based systems experienced more secure systems. Want more information?
If you found this article helpful, you may be interested in: