Managing the risks of BYOD
Life used to be simple. When a supervisor logged into the corporate network from a jobsite, it was on a company-owned mobile device, protected by the company’s IT security mechanisms. Today, thanks to the rapid rise of the bring-your-own device (BYOD) phenomenon, more and more people are logging in on personally-owned devices that IT has little or no control over.
Company-owned devices still predominate in the construction industry—according to a March 2013 study commissioned by Sage Software, three out of four construction firms supply mobile devices to their employees. However, the study also found one-third of construction firms have policies permitting BYOD, and another 8 per cent are considering it.
IT departments have traditionally used several mechanisms for securing company-owned devices. These include stipulating terms of usage, installing security and other protective software, and ensuring the device can be remotely accessed by the IT department, who can, if necessary, shut down the device, or remove data from it if there is an apparent threat.
With personally-owned devices, things get complicated. Unless there is a written agreement to the contrary, employees maintain the right to install their own apps and use the device with no restrictions. Furthermore, they have a legal right under the Charter to keep their personal information on the device private.
This means the same device that houses sensitive company information that IT needs to secure, such as competitive pricing data or emails about a liability issue, could also contain confidential employee information that might be used, for example, as evidence in a divorce proceeding. This leaves IT caught in the middle between protecting corporate data and potentially violating an employee’s privacy rights.
Getting it right
What’s needed is a set of policies that give IT security personnel the permission and tools they need to monitor and secure any device that is used to access corporate data. This begins with a signed agreement whereby the employee grants the company the right to access and remove data from that device. While this may sound extreme, experts say this is an absolute requirement for companies allowing BYOD.
“Asking for access to corporate data on their personal device is a deal that employees are making,” says Toronto-based Constantine Karbaliotis, Americas Privacy Leader for Global HR firm Mercer. “Expectation for privacy has to be diminished, because the corporation needs to protect the information on their networks.”
Of course, with the rising use of the cloud for data storage, protecting what’s stored on the device solves only part of the problem—much of the data that employees handle is stored at various online locations such as Drop Box.
“If you have assets in multiple places, you can’t impose a security perimeter around a specific location,” says Michael O’Neil, CEO of Toronto-based research firm IT Market Dynamics. “You instead secure access to any location by centering your approach on the identity of the user trying to access that information.”
Consequently, firms are starting to boost their ability to track and secure employees’ corporate identities, i.e., their login id, password, and access privileges. The employee’s private identity is completely separate.
Technology to the rescue
Technology vendors now offer a variety of solutions that allow the user to log into a mobile device separately as either employee or private individual. A common approach, offered by San Francisco software provider VMWare and others, is a special application called a container, that gives the employee access to the corporate computing environment. Another, popular in China, is a mobile device with two SIM cards – one for personal and one for corporate. Of course, some people simply own two smart phones.
Canadian technology icon Blackberry has taken the dual persona concept a step further in their latest enterprise software release with a feature called Balance. The ease of moving back and forth between corporate and personal—all it takes is the swipe of a finger on a Blackberry device—effectively removes the inconvenience of two separate logins. The segregation is complete, however—it’s not even possible to copy data from one environment to the other.
“Blackberry is addressing the issue head on, and I applaud them for that,” says Karbaliotis. “We have a personal life and we have a work life.”
Technology, however, will not solve the BYOD problem on its own. Companies must have policies and procedures in place that protect their right to protect corporate data on any devices used by employees. This is especially true in the construction industry, where legal risks are greater than in many other industries. As Karbaliotis points out, companies need to create these policies with a thorough understanding of the quantitative risks specific to their business.
“The goal is to try to be proactive, not reactive,” says Karbaliotis. “Don’t sleepwalk into these situations.”
Jacob Stoller is principal of Toronto-based consultancy Stoller Strategies. Send comments to firstname.lastname@example.org.