Is It time to re-evaluate your BYOD policy?

How can you tell if your employees have gone rogue with their personally owned devices and put corporate data at risk?

The rise in BYOD has left businesses struggling to manage the growing number of access points across their systems. A recent study conducted by Bitglass found that 57 percent of employees and 38 percent of IT professionals don’t participate in their company’s BYOD program due to privacy concerns, that corporate leadership would have too much visibility into the end user’s personal data.

Of course, that doesn’t stop employees from using their own devices, circumventing official policy. And when your employees are ignoring your BYOD strategy, it means something isn’t working and the time has come to re-evaluate your plan.

How can you tell if your employees have gone rogue with their personally owned devices and put corporate data at risk?

“There are several signs, but the most obvious is the leakage of sensitive corporate information,” said Patricia Titus, who served as CISO at multiple companies, and is currently member of Visual Privacy Advisory Council. “This means you’ve found your data either ‘in the wild’ on the Dark Web or ‘in the clear’ on the Internet.”

Another sign your policies aren’t working is if you notice an increase in malware or attacks from authorized personal devices. This may mean an employee is not holding up his end of the bargain by using security software or may not be keeping it up to date.

The re-evaluation of the BYOD program should begin with an assessment of the policies to make sure they are relevant to the company’s needs, if they are able to hold employees accountable, and if they are applicable to the technologies currently in use.

If after this assessment it is discovered that the BYOD policy has yielded few results and failed to keep sensitive data secure, there are two options: restructure the current policy or abandon the BYOD program all together.

[ ALSO ON CSO: 5 ways to shore up security in your BYOD strategy ]

In restructuring your BYOD program, it is vital that a “trust and verify” framework be put in place to ensure policies are effective, and that they include input from every business unit. If staff doesn’t feel a sense of ownership, they will continue to ignore the policy, according to Dominic Vogel, cybersecurity consultant and a former Information security analyst in the financial industry.

“Effective policies need to be created as a group in order to gain a sense of ownership,” he said. “Make sure HR, finance, marketing, communications, executives, are all represented and come up with a realistic (not draconian) policy that mitigates risks while still enabling the business.”

The revamped policies should then be clearly articulated to employees in non-technical terms, and understanding the terms of the policies should be contingent to being allowed to connect personal devices to the corporate network.

That said, it may surprise you to find out that a growing number of security experts believe companies should follow the second option. Too many employees are skirting the policies to begin with, so you may be better off forbidding personal devices to connect to the network all together, especially if your industry is highly regulated.

“If the risk appetite for a company is very low, meaning it is heavily regulated and has a low tolerance for risk, a BYOD program may not be appropriate,” said Titus. “Regulated companies also must be able to prove to auditors that their BYOD programs are effective.”

Instead of BYOD, Titus suggested a C(hoose)YOD option instead. Here, the company owns the device and its security but employees are allowed to choose from a small pool of devices keeping them part of the enterprise security program.

If you need to discontinue the program for any reason, it is important to determine how to clear company confidential data from employees’ personal devices without wiping out any personal information. “This can be a touchy situation,” said Titus, “and it’s important to partner with legal and HR before even temporarily terminating the program. Communication has to be top of mind and it must be balanced with other security awareness provided to employees to ensure you’re not creating cyber security fatigue.”

A failing BYOD policy can be devastating to a business, risking the loss of intellectual property, personally identifiable information of customers, and financial data – not to mention the exposure of the end user’s data. All it takes is for one device not be patched, not have standard anti-virus software or other security protections, be misconfigured but on your network, or to be lost or stolen for your company to be the latest victim of a major data breach.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOTitus

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Sue Marquette Poremba

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts