Given the popularity and prevalence of mobile devices such as smart phones and tablets in today’s world, it is no surprise that Bring Your Own Device (“BYOD”) programs have become an increasingly common arrangement for organizations. BYOD programs allow employees to use their own mobile device for both personal and business purposes, blurring the traditional line between work and play. A recent report indicates that more than 75% of Canadian businesses support employee-purchased smartphones and tablets in the workplace.
Properly implemented BYOD programs are appealing to organizations for many reasons. First, it allows them to save substantially on equipment cost because the phones were basically purchased and owned by the employees. Second, it allows the organization to stay in touch with their employees almost at all times, because the employees are generally carrying the device with them even after work. Third, employees may well like the arrangement as it is much more convenient to carry one device than two (a personal device and a business one). Therefore, the program can result in lower cost, higher productivity and greater employee satisfaction, a win-win situation for both the organization and employees.
While BYOD programs may seem very attractive to organizations, there are significant privacy and security risks involved that must be carefully addressed. With employees bringing in different devices, controlling the access and capabilities of such devices or ensuring the devices have adequate protection against malicious activities can be difficult. Too much monitoring can infringe on employee privacy but not having sufficient monitoring to ensure safeguards are in place to keep organizational information secure can have dire consequences. Organizations often have confidential company information on their systems such as information on new products, new ventures and new initiatives. Any security risk leading to leakage of such information may severely compromise the competitive advantage of the organization. Organizational systems may also contain private personal information of clients, which organizations are obligated to keep confidential. Having such information divulged to outsiders even if unintentionally, can result in personal information protection or privacy related lawsuits. As such, any introduction of such BYOD programs must be properly managed, with due consideration given to both the cost-benefits and potential risks involved.
Accordingly, the Federal, Alberta and British Columbia privacy commissioners compiled a set of guidelines to address the privacy and security risks for organizations considering a BYOD arrangement, a full copy of which can be found here. The following highlights some of the key points of the new guidelines on BYOD:
- Privacy Impact Assessment (“PIA”) and Threat Risk Assessment (“TRA”)
As different organizations have different types and volumes of sensitive or private information, PIA is needed to identify risks related to the collection, use, storage, retention, and disclosure of such information, while TRA addresses the specific organizational risks involved in adopting a BYOD program. Such assessments help to determine if and how the program should be implemented.
- Developing and Implementing a BYOD Policy
A specific BYOD policy should be developed, addressing issues such as user responsibilities, acceptable company monitoring practices, application management, security requirements and access requests, as well as necessary restrictions regarding which devices, systems and storage services are authorized, who can be on the program and what information can be accessed through it. The policy must be clearly communicated in order for it to be understood and enforced. Proper training to employees on managing various types of risks can also aid in the implementation of a good BYOD policy.
- Mitigating organizational risks
Organizational information should be stored in a centralized location within the organization and not on individual personal devices. Specific software, such as MDM software, can be installed to manage connections of the device to the organizational server. An agreement on the device administration responsibilities should be signed by both the employee and the organization. Another way of reducing risk is containerization, which involves creating two compartments on the device, one for personal purposes and one for business purposes. Containerization enables the organization to effectively manage the business compartment.
- Addressing software vulnerabilities
Encryptions and patch updates can prevent malicious cyber activities that can adversely affect the organization. Responsibilities must be clearly established in the policy and agreed to by the BYOD users. A list of approved apps should also be developed, with an accompanying policy and procedure for their installation and management, to prevent misconfigured or improper apps from being used. Effective authentication can be implemented at the device, container and/or user levels.
- Incident Management
A clear incident management process should be available so that when something goes wrong, immediate remedial actions can be taken to protect organizational information, such as remote removal of information or information access on the device. To do so effectively, a good inventory management system maintaining the current authorized devices and apps is essential.
Implications for businesses
Organizations need to be very cognizant of information security when using BYOD programs, not only because of potential financial and reputation losses due to leakages of sensitive company information, but also because they have the legal responsibility to keep personal information confidential. BYOD is not for all organizations as it depends on the risks involved as well as the cost implications. Technology is forever changing and BYOD policies and procedures need to keep up with latest developments. Effective development and management of BYOD programs requires devoted resources and ongoing commitment at all levels of an organization. An appropriate balance needs to be struck to ensure that measures to protect organizational information are not unnecessarily infringing on employee privacy or excessively compromising usability.
Organizations should pay particular attention to this set of guidelines by the privacy commissioners in developing any BYOD policies. When there are privacy complaints or litigation related to the BYOD programs, these guidelines may be used to determine if proper measures have been adopted by the organization to avoid security risks and privacy breaches.