Over the past couple of years, the increase in smart mobile devices has been staggering. As of October 2012, the majority of adults (55%!) are accessing the Internet from mobile devices. Just last quarter (Q3 2012), worldwide smartphone sales were up 47%. In just 2 years, 67 million iPads were sold. Any idea how many YEARS it took Apple to sell that many Macs? 24! More devices than ever are attempting to synchronize or exchange data with corporate networks. And often, these devices aren’t company-owned, which means that they aren’t locked down.
B.Y.O.D. – A growing trend, with a catch
While you’ve definitely heard of the gaining momentum of ‘cloud’ technologies you may not yet have heard of the pervasiveness of BYOD, or Bring Your Own Device. It’s happening in your schools, in small business, and in big business. Employees are providing and funding their own devices, and each is equipped with technologies that enable it to synchronize with the corporate network. If an employee owns the device, who takes responsibility for the security and protection of company data on that device?
Your Company Policy is Key
Historically, there were 3 elements present in employer-employee contracts pertaining to the use of devices in the workplace.
- The Employer-issued equipment
- The waiver by the employee about his/her rights when it comes to privacy (signed)
- The notice to the employee that ‘we have the right to monitor’ (signed)
While AllConnected is definitely not in the business of providing legal advice, the basis of these 3 elements constituted a contract. But what happens to the contract when the employer-provided device is substituted for an employee-owned device? Is it voided? Is it enforced? What happens to a policy in court when it isn’t enforced? Today, personal devices vary as much as the standards that their owners adhere to for security and data protection. We often find that the answers to these questions are unknown:
- What password protection is used to secure the device? How complex is it?
- Is antivirus/antimalware software installed on the device, and is it scanned for vulnerabilities regularly?
- Does sensitive corporate data exist on the device, and what happens to this data if the device is stolen or misplaced?
- Is corporate data created on the device without being entrally protected and verified?
- Are the passwords used to access your corporate networks being sniffed as users from personal devices access it?
- What happens if the employee breaches the contract/policy? What if there really is no policy? What if there is no way to enforce the policy?
As the ‘walls come down’ in regard to corporate-owned devices, new challenges arise. While in Kansas City 2 weeks ago for a Business Improvement Group Conference of over 100 solution providers, 2 FBI Infragard Special Agents related to us that it is shocking to see just how many mobile users install applications that provide ‘the world’ with GPS coordinates of every picture they take, when they take it, and who is in the picture.
Parodies have been made on how little thought goes into hitting the ‘I Accept’ button when agreeing to the Terms and Conditions for installing the average ‘free’, ‘adware-supported’ applications that exist on many devices. Data often remains unprotected, and if it is, it’s likely in a ‘free cloud’, tied to a personal Gmail address that may or may not have any real liability.
What is the Answer?
Often, the answer lies in the enforcement of policy, both from a technical standpoint, and from an HR standpoint. The technology to enforce this policy is here today.
For more information about how to set policy, and managed IT services around the enforcement of this policy, please reach out to your AllConnected IT consultant or contact us regarding our safeConnect service.