If your office has a BYOD (bring your own device) policy, your employees are connecting your ecosystem with their own devices, as are your partners with your intranet—and you may have little knowledge about these devices. The good news is that BYOD security and privacy implementation has a number of defined paths that can help you navigate through this jungle of privacy, security, and legal snares that could otherwise send the best-intentioned company into a sinkhole or quagmire.
BYOD—An Interpretive Dance
The recent 2014 RSA conference in San Francisco had a session, BYOD—An Interpretive Dance, in which the presenters (Constantine Karbaliotis of Mercer and Ellen Marie Giblin of Ashcroft Law Firm) set up the discussion on privacy, security, and the attendant legalities. They highlighted the following security risks versus privacy risks:
BYOD Security Risks
- Exposure of organizational infrastructure and data
- Ownership risks
- Undisciplined use of apps, inappropriate usage, and malware infections
- Management of multiple operating systems, carriers, and configurations
BYOD Privacy Risks
- Regulatory exposure for data lost from BYOD
- Commingling of personal data belonging to the end-user and organizational data belonging to the company
- Exposure of end-user information to the organization
- Management of end-user and organizational data
To address these concerns, the speakers emphasized the need to have basic mechanisms in place to address risks. Having a list of policies and procedures that lays out the expectations of both users and the company appears to be a matter of common sense. However, it becomes much more complicated when you actually try to weave the implementation into any and all compliance regimes to which your company may be subjected. Couple these with technology solutions to ensure the desired level of technological security, and you begin to understand the complexity.
Mechanisms to Address Risk
It need not be difficult, but risk assessment does require your attention if BYOD is an option for your employees. Three essentials you must perform are privacy risk assessment, security risk assessment, and data minimization and mapping.
Privacy Risk Assessment
Karbaliotis and Giblin explained that with a privacy risk assessment, organizations consciously accept risk. The purposes of a privacy risk assessment include:
- To identify and weigh privacy risks for an initiative or project
- To mitigate the risks as far as reasonably possible
- To ensure there is an accountable person taking responsibility for accepting the residual risks
- To document that you have done all these things
Security Risk Assessment
Karbaliotis and Giblin recommend the BYOD security risk assessment include a review of:
- Asset and identity management
- Network access levels and permissions
- Corporate versus personal apps
- Protection of end-user data
- Monitoring and surveillance
- Security controls on end-user devices
- Theft/loss handling protocols
Data Minimization and Mapping
How is it possible to secure your data when you don't know where it's residing or who has access? How will you be able assuage the privacy concerns of your employees, customers, and partners or maintain the regulatory measures that you're accountable for? Recognize that as technology evolves, so will the ability for new side-doors to your data to open. Karbaliotis and Giblin explain:
- "Data minimization" means minimizing opportunities to collect personal data about others, the amount of personal data being collected, and how long personal data is retained.
- Data mapping is an effective way to chart the flow of information into and out of an organization—through entities, systems, and jurisdictions—and identify key risks to guide risk-mitigation strategies.
With these pieces in the mix, you will have answers for the situations that inevitably arise. For example, if an employee has been dutifully backing up his BYOD iPhone to the iCloud in case he drops it into the swimming pool or it is inadvertently rendered inoperable, you'll know how it will affect your data security implementation. Does the iCloud environment meet all of your security and privacy requirements?
One of the most important points is the commingling of data. In accounting, you're taught to never commingle personal funds with company funds, but does this analogy work when applied to BYOD? What if your employee's device is subpoenaed or seized? Will your data be exposed, in a manner previously not considered a security concern? Similarly, if the company is engaged in a legal imbroglio, is your employee's personal device evidence? What if a family member, friend, or acquaintance uses your employee's personal device containing your company information? These and many other questions have to be clearly identified and articulated in the policies and procedures of the BYOD engagement. While it may save money upon initial analysis, it may prove to be "penny wise and pound foolish" in the long run if due care to security, privacy, and data mapping are not addressed up front.