Are BYOD policies haemorrhaging intellectual property?

The proliferation of technologies and devices enabling us to work remotely has transformed business. But, as a band of industry professionals assembled at the British Library this week will tell you, it has also turned the world of information security on its head.

ITProPortal was part of a small media presence at an exclusive roundtable discussion hosted by Canon on Wednesday that tackled the increasingly worrying implications of poorly-managed BYOD (‘bring your own device’) policies, and why organisations now need a militant appreciation of protecting sensitive data.

The age of companies making a black-and-white decision whether or not to allow personal devices in the workplace appears to be over. In one respect or another, BYOD has become ingrained in the habits and psyche of the modern employee, said Robert Bond, security specialist and data protection officer at London law firm Speechly Bircham.

Coming through is a generation that “expects to have multiple devices, and not what we give them,” he said. “That’s a real challenge for how we manage our security.” The most obvious hurdles lie in creating an infrastructure that protects data drifting inside and outside the network across multiple devices, but when data equals intellectual property, the ramifications become even more serious for organisations.

“How do our businesses manage the bleed of intellectual property?” Bond asked. “If everything is digital or virtual - and your business is intellectual property rich and you’re going to go out and raise money on the market - when the due diligence is done by the lawyers, how are you going to ask the question, ‘well is this mine?’? Because is it yours? Or is it the employee who’s using their own device in their own time to create this stuff?”

Adrian Davis (centre, below), Principal Research Analyst at the Information Security Forum, concurred. “As organisations become more information-centric, which I think is the key thing here, [they] have to actually realise that the value resides in information now. The physical product is actually only the final expression in a chain of information.” During the creation process of any concept or product, organisations “need to protect information all the way along,” Davis emphasised.

“I think the tech industry is particularly bad at that,” said Jamie Bouloux (left, below), Head of Cyber for EMEA at AIG. “There’s the great example of the software company that has an idea and never patents it, that’s something we’ve seen a lot of.”

But before legal disputes and the actions of individual employees even come into the equation, it is a neglect of the security fundamentals that so often lets organisations down, Bouloux argued.

“We’ve talked a lot about BYOD but the reality is that it has to start within your organisation, and there are lapses within security infrastructure and training within the organisation before you even talk about me bringing my iPhone to the office,” he said.

“A lot of claims we’ve seen have been tied to loss of laptops and the non-encryption of those laptops. I think the MoD [Ministry of Defence] is the best example of this. If you look at the six years tracking back from 2010, they lost 1,087 laptops or had them stolen. And then there’s statistics about how less than 50 per cent of them were actually encrypted. And that’s the concern.”

Agreeing with Bond’s notion that the modern workforce will always seek to push boundaries with using their own devices, Bouloux warned organisations that it is up to them to impose strict BYOD policies that keep members of staff – and crucially the data they handle – in check.

“Employees will do what they’re allowed to do and what they think they can get away with,” he said. “And unless you set the parameters, and the employees can’t take advantage, you’re not going to stop the haemorrhaging.”

To find out what these parameters are, check out our guide to overcoming the security risks of BYOD. While the security experts at this week’s roundtable were justifiably wary of the dangers brought by increased business mobility, ITProPortal contributors have consistently argued that employers should be encouraged to bring their own devices if they have a safe policy to work within.