BYOD: Corporate security and global users’ privacy rights
By Matthew Johnston August 27, 2014
- Encryption, PIN enforcement, MDM tools, etc. may violate a user’s right to privacy
- For global organisations, especially tricky with different laws in different countries
WHILE Bring-Your-Own-Device (BYOD) has its benefits for the enterprise – including improved employee productivity and satisfaction, as well as a reduction in costs from no longer having to supply and maintain hardware – its effect on corporate security presents an enormous challenge for IT departments.
Previously, IT had more seamless control over security when employees worked in the office and used phones and computers supplied by the company.
Today, however, laptops, smartphones, tablets and other devices accessing the corporate network from a range of platforms become conduits for malware, and escape routes for corporate data – all without the IT department’s knowledge.
According to Gartner, half of employers will require employees to use their personal devices for work by 2017, and another 38% of companies expect to stop providing devices to employees by 2016.
The economic benefit of BYOD is overpowering the security concerns, but in today’s age of global business, it’s crucial to have a BYOD policy in place that not only protects corporate data, but also follows laws for respecting employee privacy.
Encryption, PIN (personal identification number) enforcement, installation of anti-malware and anti-virus protection on the device, and mobile device management (MDM) tools all have the potential to violate a user’s right to privacy.
In most countries, organisations can’t legally do any of this without consent from the employee.
Drawbacks of one device for business and personal use
When developing a BYOD policy that will enforce security in organisations, businesses have to be transparent with employees about their responsibilities as dictated by their company policy.
Not only must employees sign off on protecting company data, they must understand what they are signing, and organisations have to know that they fully understand the implications of the policy.
In other words, by agreeing to a BYOD policy, employees give up some control over their device and should expect a loss of personal privacy. They need to understand that with access to their personal device, IT can lock, disable and wipe the data from the device (or delete all data on the phone), view browsing history, personal emails, chat and messaging histories, pictures, videos, and other media.
Beyond knowing what IT can do, users must understand exactly what will happen if the device is lost or stolen, or if they leave the organisation.
One-size-fits-all BYOD policies
Global organisations may find it especially difficult to implement a common, one-size-fits-all BYOD policy business-wide because privacy laws vary from country to country, and state to state.
Ovum revealed in its International Data Privacy Legislation Review: A Guide for BYOD Policies report that data privacy laws differ across several countries (the United States, the United Kingdom, Germany, China, Australia, France, Spain, Netherlands and European Union member states ), but, two main points are consistent to all:
2) Employees must give consent for their private data to be accessed and processed.
Organisations have struggled with how to present the end-user with an ‘agreement’ that protects both the users’ privacy and the organisation – legally and technically.
Many users are remote, so the paperwork or validation of legal agreements can be costly. Luckily, there now are ways that help organisations grant or deny access by presenting end-users with a dynamic remote access usage agreement.
From a completely remote location with access to a network, organisations can present specific agreements over the VPN (virtual private network) connection, which can be specific and updated as needed.
A real solution to the problem is not just legal, it has to be technical too. Companies need to employ BYOD in a way that technically assures protection of their data when it lands on a personal device.
Most importantly, organisations need to ensure data protection while still remaining cost efficient.
Fortunately, secure mobile access solutions now can support a capability called per-app VPN, as well as endpoint control. These technical features allow a requested VPN connection to only allow data to flow from a defined network to a specific application on the mobile device (per-app VPN), and also allow the remote device to enforce the presence and absence of particular applications.
Bottomline: A company needs not only to acquire all the legal agreements between itself and users without costly interactions or delays, it also needs to simultaneously ensure that data lands only in targeted applications – whether they are common or customer apps, or an MDM solution.
If this can be accomplished without requiring special app-wrapping, application challenges will be dramatically simplified.
Compliance and regulatory infringements
Because there is no one-size-fits-all template for BYOD policies, it’s important to have the capability to treat each user differently.
If organisations can customise the means for obtaining consent for different users in different countries, they will know who has accepted which terms. If it is an automated part of the workflow, it also will protect the organisation by ensuring there is an audit trail.
Adherence to global privacy laws is something every international organisation doing business should take seriously.
While it’s important to protect the data in the corporate data centre and data in-flight and stored on the device, as well as to protect one’s network from malware that can attack through mobile access, organisations must not overlook the financial risk that comes from not having permission from end-users to monitor their personal devices.
The penalties for failing to do so can be costly and painful for their business.
Matthew Johnston is managing director for South Asia, Dell Software
Beware ‘street BYOD,’ say Gartner analysts
APAC BYOD market to continue strong growth in 2014-2015: IDC
‘Shadow IT’ a pall on Malaysian IT landscape: VMware survey
Dell aims services push at BYOD trend
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.