Why companies should beware of the BYOD movement and how to mitigate potential damage

BYOD (bring your own device) is a buzz word amongst company IT departments and policy makers.  BYOD is an employee-purchased and owned device (i.e., laptop, smartphone, tablet) that is connected to a corporate information network system or otherwise used to conduct company business. A recent Cisco study found that 90% of full-time American workers use their personal smartphones for work purposes. In this cyber age where privacy and cyber security are major concerns for employers and employees alike, BYOD is a proverbial minefield for those unaware of the legal, security and privacy risks.

Emerging BYOD Legal Risks

In this world of telecommuting and start-ups, many companies allow employees to use their own laptops and smartphones. Companies have thereby ended the Apple v. Android, Mac v. PC debates, a win-win for employees and their employees.  This all might sound great for both employers and employees, but as with any new invention, the risks of BYOD policies have not yet been resolved.  Nor have we seen any BYOD policies take center stage of a publicized legal dispute. We have, however, seen disputes arise over storing company data on personal devices. In Barrette Outdoor Living, Inc. v. Michigan Resin Representatives, the Court ordered an employee to pay $35,000 in sanctions for failing to preserve his cellular phone and deleting 270,000 company files from his personal laptop. Even when using a personal device, employees may have a duty to maintain corporate information if their employer goes to trial. Employees may face personal legal liability for actions taken while using their BYOD device.

Understanding BYOD Security Risks

When employees have access to company networks and data through their personal devices, the company becomes increasingly vulnerable to security and legal risks. Companies that allow broad access face the risk of employees to deleting company data and are susceptible to the carelessness of employees and third-party users. These users can be anyone from a child using a parent’s phone to office visitors connecting to the company wi-fi. When BYODs and third-party devices bypass security features normally applied to corporate devices, they are vulnerable to malware—a costly risk, particularly in regard to Android devices. Additionally, BYODs that bypass network security elevate the risk of non-compliance with data privacy laws and regulatory requirements.[1]

Mitigating Security Risks & Maintaining Employee Privacy

The most effective mitigation strategy will couple emerging tools with a BYOD policy to protect company assets and security, examples of which include:

  • Developing a BYOD policy that addresses ownership, password requirements, employee privacy, liability, limitations on access/use, search parameters and what situations trigger which reactions.
  •  Selectively publishing company data to new mobile apps; users get the data they need, and the company has greater control over data security.
  • Requiring device encryption.
  • Installing software to track which documents employees download.
  • Installing technology to wipe only corporate settings, data and apps to protect business assets while leaving personal data and settings intact.
  • Exploring geo-fencing to protect company information and prevent data breach by disabling device features such as the camera within company space.

Use and implementation of these tools will depend on company needs but should be considered to mitigate legal, security and privacy risks.

 

To see more from me on this issue visit: http://techpageone.dell.com/technology/byod-policies-tangle-hr-legal/

Protecting the Mobile App Space

Mobile apps are the new frontier.  With every new terrain comes a lot of risks and eventually regulation.  About 8% of Android apps are vulnerable to attacks as a result of weak SSL implementations, according to a new computer security study. SSL/TLS are cryptographic protocols used to secure online communications. According to Information Week Security “Security researchers in Germany analyzed 13,500 free Android apps from Google Play and found that 1,074–about 8%–contain SSL/TLS code that could potentially make them vulnerable to what’s known as a Man-in-the-Middle (MITM) attack.”

Although not a new problem, attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In Information Week Security’s report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services–and to fix them before they can be exploited.

In light of these attacks, privacy and security are increasing concerns. In response to these issues California has implemented the California Online Privacy Protection Act — a.k.a. CalOPPA. Under this act, California is set to begin fining mobile app developers that release apps that lack a clear and easily accessible privacy policy. Attorney General Kamala D. Harris started notifying businesses this week that their apps did not have easily accessible privacy policies, as required by the state’s Online Privacy Protection Act. The warnings affect as many as 100 apps.

Violators will face fines of up to $2,500 for every non-compliant app that gets downloaded. Businesses that received the state’s privacy-warning letters this week included the airlines Delta and United Continental, as well as OpenTable, reported Bloomberg.

Earlier this year, Harris helped create an agreement among the seven leading mobile and social app platforms to improve privacy protections for those who use apps on their smartphones, tablets, and other electronic devices. According to her release, these companies – Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Research in Motion – agreed to privacy principles designed to bring the industry in line with California law requiring mobile apps that collect personal information to have a privacy policy.

The agreement allows consumers the opportunity to review an app’s privacy policy before they download the app rather than after, and offers consumers a consistent location for an app’s privacy policy on the application-download screen in the platform store.

“Smartphones are in my opinion the greatest threat to loss of intellectual property and concern about privacy,” said Darren Hayes, an assistant professor and expert in computer forensics at Pace University. “There are mobile apps that are masked as legitimate games which compromise other data on your phone. More aggressive privacy laws may mitigate some of the risk.”

A lot of apps would have to be updated to include the privacy notice. I hope 30 days is sufficient to make the necessary changes for affected applications.

Mobile security experts and vendors said the crackdown was good for the industry, because it would boost California consumers’ confidence. California is one of the most aggressive states in the nation on privacy protection.

This could be the catalyst necessary to make other states demand greater privacy protection. The problem is always in balancing protecting privacy with limiting speech. This is only the beginning….