Minimizing the Risk of BYOD
The new trend in business communications is referred to as Bring Your Own Device (BYOD). An employee brings their personal phone, tablet, or computer to work. They connect that device to the company network and use it like a work-issued device.
Now imagine the following situation-- an employee has a company-issued iPhone with a personal iCloud account set up on that device. One day the employee leaves your company. He hands back his company-issued phone and walks out the door. He then drives to the nearest AT&T store and picks up a brand new iPhone. In a few minutes he has entered his iCloud credentials and is restoring an iCloud backup of his company-issued phone consisting of the documents, contacts and other company data that existed on his work-issued device. In less than 20 minutes he could be on the phone with your clients, trying to lure them away.
This isn't just the case for the phone. If the employee has any other devices at their disposal it would be safe to assume that the same data may live on any tablets or computers - any device that can be used to log into the employee's account. Once the data is out of the control of your organization it could be stored in multiple locations, in multiple iterations. Finding every instance would be almost impossible. How would you know when to stop looking? There's so much risk associated with BYOD that the idea makes IT people cry into their coffee mugs on a daily basis.
In addition to the risk of IP theft, BYOD users could bring unsafe apps into your organization that are designed to destroy or steal your company data. The devices could even be carriers of malware that initiate when a phone is connected to a work computer. In a world where BYOD is rapidly becoming the norm, how do you combat this?
Limit connectivity. At our office we have two different networks. The most secure contains our sensitive data. The other doesn't connect to our servers or storage at all. Any device could be connected to the second network without the risk of someone gaining access to proprietary data. We do not allow personal devices on the secure network.
Limit access not only to your business network, but your business apps. If you have a corporate exchange, for example, you may need to assess whether an employee needs access to the corporate email or company-managed cloud services on their personal devices. The default should be "no" unless a good reason can be provided.
Acceptable use policies (AUPs) have been around for years but may be out of date. Consider updating your AUP to permit the company access to any device connected to the network. The employee is free to connect their personal devices to your company network as long as they agree and understand that doing so means that the company can request to investigate the contents on demand. This may be especially important for discovery requests. The agreement may also contain language that states that the company has the authority to remotely wipe the device should that action become necessary.
Work with our consultants, your IT department and other employees in order to attempt to strike a balance between usability and securing your company's data. There may be some compromises along the way, but these are great first steps to helping everyone sleep a little easier at night.
Lee Whitfield is the Director of Forensics for Digital Discovery www.digitaldiscoveryesi.com and serves as a computer forensics consultant and expert witness to corporations and law firms.