The rise in BYOD has left businesses struggling to manage the growing number of access points across their systems. A recent study conducted by Bitglass found that 57 percent of employees and 38 percent of IT professionals don’t participate in their company’s BYOD program due to privacy concerns, that corporate leadership would have too much visibility into the end user’s personal data.
Of course, that doesn’t stop employees from using their own devices, circumventing official policy. And when your employees are ignoring your BYOD strategy, it means something isn’t working and the time has come to re-evaluate your plan.
How can you tell if your employees have gone rogue with their personally owned devices and put corporate data at risk?
“There are several signs, but the most obvious is the leakage of sensitive corporate information,” said Patricia Titus, who served as CISO at multiple companies, and is currently member of Visual Privacy Advisory Council. “This means you’ve found your data either ‘in the wild’ on the Dark Web or ‘in the clear’ on the Internet.”
Another sign your policies aren’t working is if you notice an increase in malware or attacks from authorized personal devices. This may mean an employee is not holding up his end of the bargain by using security software or may not be keeping it up to date.
The re-evaluation of the BYOD program should begin with an assessment of the policies to make sure they are relevant to the company’s needs, if they are able to hold employees accountable, and if they are applicable to the technologies currently in use.
If after this assessment it is discovered that the BYOD policy has yielded few results and failed to keep sensitive data secure, there are two options: restructure the current policy or abandon the BYOD program all together.
[ ALSO ON CSO: 5 ways to shore up security in your BYOD strategy ]
In restructuring your BYOD program, it is vital that a “trust and verify” framework be put in place to ensure policies are effective, and that they include input from every business unit. If staff doesn’t feel a sense of ownership, they will continue to ignore the policy, according to Dominic Vogel, cybersecurity consultant and a former Information security analyst in the financial industry.
“Effective policies need to be created as a group in order to gain a sense of ownership,” he said. “Make sure HR, finance, marketing, communications, executives, are all represented and come up with a realistic (not draconian) policy that mitigates risks while still enabling the business.”
The revamped policies should then be clearly articulated to employees in non-technical terms, and understanding the terms of the policies should be contingent to being allowed to connect personal devices to the corporate network.
That said, it may surprise you to find out that a growing number of security experts believe companies should follow the second option. Too many employees are skirting the policies to begin with, so you may be better off forbidding personal devices to connect to the network all together, especially if your industry is highly regulated.
“If the risk appetite for a company is very low, meaning it is heavily regulated and has a low tolerance for risk, a BYOD program may not be appropriate,” said Titus. “Regulated companies also must be able to prove to auditors that their BYOD programs are effective.”
Instead of BYOD, Titus suggested a C(hoose)YOD option instead. Here, the company owns the device and its security but employees are allowed to choose from a small pool of devices keeping them part of the enterprise security program.
If you need to discontinue the program for any reason, it is important to determine how to clear company confidential data from employees’ personal devices without wiping out any personal information. “This can be a touchy situation,” said Titus, “and it’s important to partner with legal and HR before even temporarily terminating the program. Communication has to be top of mind and it must be balanced with other security awareness provided to employees to ensure you’re not creating cyber security fatigue.”
A failing BYOD policy can be devastating to a business, risking the loss of intellectual property, personally identifiable information of customers, and financial data – not to mention the exposure of the end user’s data. All it takes is for one device not be patched, not have standard anti-virus software or other security protections, be misconfigured but on your network, or to be lost or stolen for your company to be the latest victim of a major data breach.