Law And Order: A Look At BYOD’s Security And Legal Issues

It’s silly for anyone to deny the ever growing popularity of mobile devices. Since the first iPhone, released over 6 years ago, similar types of devices have become increasingly fashionable and for good reason.

Personal devices are not only being increasingly used for work (We can talk about BYOD issues all day!), but more and more companies are currently providing tablets and smartphones as an incentive to their employees. Either way, the mobile nature and familiarity of these devices mean employees become more productive – even when away from their desks.

So for any business it sounds like a win win situation, right?

Obviously, there are plenty of hidden risks when it comes to devices and their mobility, not to mention the major risk to data security. It’s these risks that make it more than essential for businesses to have a clear, standard, defined mobility strategy in operation before the use of personal devices becomes ever-present. And from here, is then where you can truly refine and shape your BYOD policy.

So what are some of these risks?

To lead a successful policy, you’re always starting with the golden question: do we allow BYOD? It should always be noted that even in companies which restrict BYOD; often employees still use their own devices anyway. Given that we are predicting that every employee will be connected to more and more devices by 2018, it could well be the case that employers will have no choice but to form a policy, or face losing their own control of their network.

Taking this all into account, here we through a few considerations into the mix that should be discussed at both corporate level and department to help you build a successful, useful and robust BYOD policy. There is not necessarily a wrong or right way to address all these considerations, as it depends entirely on what suits your business best.

Personal data and sand boxing users – One of the most significant problems with BYOD is that the device is entirely the property of the employee. As such it is neither legal nor fair to prevent them from using the device for their personal use as it’s their personal data. If you allow BYOD you are inherently accepting the personal data contained on that device can be stored alongside the business data, also used by the device.

However it is possible to ‘sandbox’ and split the data out – separating the two types. This can be done with either software or technology or through formal policies. For example, using Cloud-based access to the network of your company, or even a VDI (virtual desktop infrastructure), so that the corporate data is safely kept behind the firewall of your company, while personal data is only stored on the device or the user’s personal Cloud. The policy option may have to state simply how the data can be used or accessed – More difficult to monitor than it is to set up.

Split tunneling – a more hidden but malicious way of having company data compromised, split tunneling is allowing a device to connect to a public network (e.g. the Internet) as well as your corporate WAN/LAN at the same time. While it has many advantages, a linked connection opens your up to malicious programs which could enter your network, opening up risking your data security.

Other stray legal issues with data on mobile devices – Above all the security considerations, businesses should consider legal implications having BYOD. E.g.: where do you draw the line between invasion of privacy and business diligence? What if you were to find some form of criminal activity or misconduct when extracting company data from a personal device? Would you be in the position to discipline, prosecute or fire the employee, or is that a bridge too far?

This entry was posted in Law and Issues and tagged . Bookmark the permalink.