Inside TDV - The Data Vault Blog
BYOD Risks Must be Addressed Quickly, Forrester Report Says
Our friends over at ARMA International posted details this week of a recent Forrester study which stresses that if an organization learns that employees are employing BYOD (bring your own device), the organization’s leadership has a legal responsibility to minimize the risk.
ARMA rightfully wonders aloud whether it’s as easy as it sounds. David Johnson, co-author of the Forrester study, points out two key factors in a recent blog post:
- “The more restrictions you put in place, the more incentive people will have to work around them and the more sophisticated and clandestine their efforts will be.”
- “There is no data leak prevention tool for the human brain, so arguably the most valuable and sensitive information walks around on two legs and leaves the building every night. Accepting this is important for keeping a healthy perspective about information risk on employee-owned devices.”
And there you have it. At TDV Cloud, we’re in the business of providing backup and recovery in the event of a lost-data disaster, and we’re good at it, but we can’t stop your sales associate from leaving his tablet in the back of a taxi.
The study cites “intellectual property misuse” and “accidental data loss” as the top BYOD risks cited. But there is also a legal risk involved that most companies don’t think of. In Johnson’s blog post, he says that if attorneys can prove employees are using software they know is not properly licensed as part of their job, it can be considered “willful and illegal misuse of someone else’s property,” leaving the employer liable for past licensing fees.
So, if your marketing intern offers to design a flyer in Adobe InDesign using her own computer, and the version of InDesign she is using is a bootleg copy that has not been registered, it is the same as your company illegally using that software. Yikes.
Because BYOD is a relatively new phenomenon in terms of mass usage — the Mac nerd who refused to use the company’s PC in the early 2000s isn’t quite the same as the entire sales force using their smart phones and other devices to track leads — there aren’t really any defined rules or guidelines as to how to deal with it effectively. It almost sounds like one of those situations that will be left relatively unchecked until something disastrous happens.
So what does an organization do? Wait for the bomb to explode? Or try to fashion some form of policy?
ARMA reports that Forrester suggests creating a technology approach that promotes engagement while enforcing the policy.
“This means keeping employee-owned devices off of the corporate trust network while allowing access to information through secure proxies and interfaces. In regulated environments, it also means sensitive data is never stored on employee-owned devices, but in less stringent environments it can mean simply controlling access to systems of record such as customer databases to prevent anyone from walking away with a data dump.”
Johnson writes that a signed BYOD agreement between the company and each employee, along with education on the risks and employees’ responsibilities, should be a minimum. Cloud-based recovery software can also help minimize loss, in a case of the tablet in the taxi, or a laptop stolen in an airport.
The report (available at the link above) is $499 to download, and is probably worth every penny if you run a company that has no restrictions on BYOD. Here is the summary:
“Consumerization of IT helps drive better employee engagement and innovation because it gives people in your firm the freedom to choose the tools that work best for them and find better productivity. Sadly, we live in a world rife with zero-sum games of litigation where suffocating regulations are the norm, and failure to comply with their directives can draw millions of dollars in fines and lawsuits. Technology diversity multiplies the challenge of maintaining compliance — it’s no wonder so many IT shops take a one-size-fits-all approach to workforce computing and forbid bring-your-own-device (BYOD). The correct solution is a strategy that brilliantly achieves the conflicting goals of embracing BYOD and consumerization while slashing the risks and costs at the same time. This report focuses on what the biggest legal and compliance implications of BYOD are based on our research with lawyers and auditors who specialize in technology law and compliance, and makes actionable recommendations for strategy, technology, and policy.”