The heated discussions around the recent Kaspersky Lab cyber-attack (opens in new tab) and the major OPM data breach have again brought the information security issue under the spotlight.
This time, the discussion doesn’t only focus on how to fortify the external protection shield, but also emphasises on how important it is to strengthen the enterprise control over the emerging employees who work from their own devices.
Yes, like it or not, BYOD has become a real deal now – so real that it is reforming the way we see information security. According to Gartner, about 38 per cent of companies will stop providing devices to their employees by 2016 and 50 per cent of them will demand their employees to bring their own devices to work by 2017.
BYOD is getting real, but whether it is “Bring-Your-Own-Device” or “Become-Your-Overburdened-Dilemma” in information security will depend on how well you understand the pros and cons of this policy. The rest of this article will briefly talk about the good, the bad and the who-knows about BYOD to help you get prepared with new challenges brought by this new trend.
1. All for the flag of autonomy
Why is BYOD so welcomed among employees? If you can recall the feeling of sitting in front of an out-of-date corporate PC and waiting for two hours to have IT professionals install a software you want, you could probably feel the employee's desire of using their own devices.
BYOD is all about workplace autonomy. When holding their own devices, employees immediately gain a sense of control over their work. This perceived power makes them feel happier and can significantly improve their productivity.
According to a 2013 Cisco study, BYOD employees in US can save 81 minutes per week and over 70 hours a year. What’s more, employees are actually willing to pay for this sense of autonomy: the Cisco study also revealed that global workers would spend an average of $965 (£620) to work on their own devices and an additional $734 (£473) a year for the data plans that go with them.
Happy employees make a happy company. From this perspective, it might not be a bad idea to give employees a little bit more freedom, at least in choosing their own devices.
2. I use what I want
Another good thing about BYOD is that it increases flexibility in the workplace. Employees using their own devices can work from anywhere at any time. Even if they are out of office, they are able to get updates of their works and communicate with team members seamlessly.
Therefore, BYOD greatly smooths team communications, especially in an emergency when most of your employees are out of office. What’s more, BYOD also increases employees’ flexibility in customising their own devices based on specific job requirements.
For example, employees in the accounting department can have different software setups from employees in the creative department. In this way, BYOD makes it easy for employees to adjust device settings and better meet their job requirements.
The Bad (and what to do)
1. Jailbreak is a real issue
If you want to initiate BYOD policy, the first thing your IT security team warns you will be losing control of employee behaviours. There are many apps that collect data from phones and other devices without owner’s permission.
You might have 100 per cent control on which apps you allow employees to install on corporate devices, but as long as they are using their own devices, they can do whatever they want. Tech-savvy employees can always find a way to “jailbreak” their devices and install restricted applications. These applications will then increase the risk of insider data breach and also the vulnerability to the company system.
To prevent these jailbreaks, an effective way is to update the company’s BYOD regulation with a strict policy against jailbreaking and downloading unauthorised apps and software.
2. Hate losing a phone, hate it more when there is corporate data in it
Losing your own cell phone is already painful, but losing a cell phone with corporate data is not only painful, but also terrifying. If an employee loses a device, all work emails, work data and other proprietary information stored on it are at risk of being exposed.
Even if your employee just wants to repair or trade in his/her devices, there is still a chance of data breach. To prevent the potential leakage, what you can do is to enforce pin and passcode on employee devices and also obtain the capability to wipe the entire phone or computer remotely.
However, wiping employees’ own devices remotely can cause a serious ethical dilemma with a potential risk of harming employees’ privacy.
3. How can you catch a fish on the internet
It’s almost impossible to keep track of all employee online activities in real time and stop them when there is a threat, no matter whether they are working on corporate devices or on their own devices.
Downloading random patches, opening infected websites, clicking on malicious pop-ups…. all of these online activities can infect your devices with viruses and malware that will steal sensitive corporate information.
To better protect your data from careless online activities, you should deploy a multi-layered cyber security protection shield with DDoS protection, 24/7 firewall, malicious website filter and other useful add-ons.
4. Compliance or privacy, that is the question
Compliance is mandatory for all companies in all industries. Therefore, you always have to track all business devices at all time to make sure that employee behaviours or your business activities don’t violate any regulations, such as HIPPA, SOX, PCI, etc.
However, what do you do if your employees work from their own devices? Do you still have the right to monitor their phone calls, to check their emails, or even to wipe their phones when you see something wrong? How can you ensure that your employees keep their privacy but at the same time conduct all activities under certain regulations?
The dilemma between compliance and privacy has always been a headache for most BYOD companies. For now, one solution for this dilemma could be enforcing tracking during the business hours and leaving private space for employees when they are out of work.
However, this can only be a temporary solution, because it makes no sense to assume that there is no risk of data breach in after-work hours, given the fact that employees actually spend more time with their devices when they are off than they are working.
5. What should I do with these distractions
One downside of BYOD is that it can increase downtime and distractions for employees. We know that it is almost impossible to make a rule about what apps employees can download.
This is not realistic. Employees can, or at least think they can, do whatever they want with their own devices. Therefore, it’s not difficult to imagine how many non-work-related apps they have installed on their devices.
These apps can become distractions when they are working and increase downtime to lower their efficiency. Since employee activities on their own devices are difficult to track, what companies can do is probably enforcing an office regulation and encouraging employees to manage their time effectively.
Am I saving money from BYOD or not?
One major factor that drives companies to adopt BYOD is that it can lower the corporate budget for purchasing devices. For example, an advertising agency can save a lot of money if all employees bring their own Macbooks to work.
According to the 2013 Cisco study, by implementing a strong BYOD policy, an organisation could save $1,300 (£830) per year per mobile user. However, saving money from equipment purchase is not the end of the story. If you want to get the balance sheet right, you also need to take into account of the additional money you spend in deploying a more comprehensive cybersecurity plan that enforces greater control on employee behaviours.
This expense can vary by corporate scales and functionalities. What’s more, accompanied with the BYOD is the increased risk of insider data breach. Once the company is hit by an insider data breach, every compromised record could cost the company $201 (£130) on average, and according to a 2014 IBM study, companies suffered from data breach lost about 29,000 records on average.
Therefore, adopting BYOD may add a great opportunity cost to your balance sheet, making it uncertain whether BYOD would really save money for your company, or eventually cost you more.
Although BYOD might be an undeniable trend, there is still no need to rush and join the wave. Companies should first have a good estimation on how BYOD would affect their potential expense on equipment purchase and cyber security deployment, and then create a detailed policy on how to monitor and manage employee behaviors during and after business hours to prevent possible data breach.
BYOD is not about emailing your employees and saying “hey, let’s bring our own laptops to work,” it’s about reforming the way your company is operated. Therefore, to prevent unfavorable cost, you should better take it seriously and make it right.
Rana Kanaan, Vice President of Products at Workspot (opens in new tab).