Bring Your Own Device (BYOD) allows employees to work and access enterprise data and systems using their own mobile devices such as laptops, tablets, and smartphones.
BYOD has gained popularity in recent years as a way for IT departments to keep up with constant changes in technology and employees who increasingly want to work and access company information on their personal devices.
However, without formal policies and procedures in place, BYOD can be major security risk resulting in external and internal data breaches, lead to non-compliance during litigation or regulatory action, and threaten an enterprise’s critical systems and sensitive data.
A recent survey of 447 organizations by Champion Solutions Group found that 53% of companies still do not have a formal BYOD policy.
Make a BYOD policy part of your Information Governance (IG) strategy to govern and manage information created and accessed by these devices in order to support current and future business, legal, and regulatory requirements.
The core of IG is maximizing value while minimizing risk which should also drive good BYOD policy. Your BYOD policy must determine what level of access to company data and systems should be adopted by your enterprise.
- Will there be unlimited access for personal devices?
- Or should access be restricted to only company owned devices?
- Will access be limited only to non-sensitive applications and information?
- What about storing corporate data locally on personal devices?
Your BYOD policy needs to consider “acceptable business use” for personal devices, multifactor authentication for access to company data and systems, what apps and company resources such as calendars or email are allowed on mobile devices, and what to do if a device is lost or stolen. Be sure to audit and update your policy periodically to evolve with new technologies. Effective policies should be well thought out, clearly communicated, and simple to understand for both end users and IT personnel.
BYOD results in employees creating and using electronically stored information (ESI) on their personal devices that may be subject to electronic discovery (eDiscovery) in the event of a lawsuit.
Do you already have eDiscovery software in place that can capture and preserve ESI from mobile devices? Ensure that you can preserve data from mobile devices during a legal hold to avoid sanctions or spoliation.
Is there a defined protocol for employees to hand over personal devices containing company ESI during litigation? Make sure this process addresses the digital forensics involved, the security of sensitive information, and results in the quick turnaround of personal devices to employees.
It’s inevitable that some departing employees will take company information with them. Sometimes this is malicious action from a disgruntled worker who was fired.
Other times it’s accidental and the employee simply forgot to remove data from their devices after leaving the company. Planning ahead can cut down on the risks of employees walking away with critical business information regardless of the cause.
- How and when is access to corporate systems removed from personal devices?
- What practices are in place for collecting organization owned phones and laptops?
- How and when is HR involved?
The market for refurbished smartphones and tablets is growing while data is not always being properly deleted from these devices. This means that it’s possible that data once used by employees could escape after they leave the company or resell their phone so having plans and processes for removing employee access as soon as they separate from the organization can help cut down on internal data breaches.