The thinking is this: If your organization relents and lets employees use their own mobile devices for work, then there will be immediate cost savings, with the added benefit that people generally take better care of devices for which they are financially responsible.
The initiative is referred to as BYOD: Bring Your Own Device, and it has become a defining trend in the past year.
Unfortunately, despite the perceived upside, there is also considerable downside that can suck the fun right out of the approach.
That downside must be accounted for before unleashing the hordes. Allowing personnel to bring personally owned devices into a managed environment and (more importantly) allowing people to use these devices to access and store potentially sensitive business data opens the door to numerous additional costs.
Specifically, inadequate accounting for liability from increased legal and information risk and inadequate provision for control of business data on mobile devices may increase support costs. Here are a few suggestions on addressing these concerns.
Conduct a comprehensive risk analysis
There are three types of risk that should be considered when it comes to BYOD: financial, information, and legal.
Of these, the first (financial risk) is perhaps the easiest to break down. Oftentimes, this factor is where immediate perceived value is seen in implementing a BYOD policy because companies can baseline mobile devices as a fixed monthly cost.
However, based on a survey of over 100 companies earlier this year, the Aberdeen Group determined that organizations have underestimated the costs associated with BYOD, to the extent that an organization supporting 1,000 mobile devices through such a program is spending, on average, an extra $170,000 per year.
Analyzing information risk is often done poorly, or perceived as too difficult to do well. Fortunately, methods like Factor Analysis of Information Risk (FAIR)# make a reasonable analysis achievable.
Specifically, considering just the loss magnitude side of an analysis can provide a quick reference point to identify potentially hidden costs.
FAIR looks at primary and secondary loss estimates under six categories: Productivity, Response, Replacement, Competitive Advantage, Fines & Judgment, and Reputation.
With just a cursory review, it is not unreasonable to think that, while Replacement costs will go down (for the business), the Response costs are likely to increase, since performing a response on a personally-owned device can be more difficult.
Additionally, you may see higher expected losses from Fines & Judgments since the business is potentially sanctioning employees to take sensitive data outside the defined, controlled environment, leading to legal risk concerns.
A detailed legal risk analysis should be conducted to ensure that allowing business data to reside on non-business-owned devices does not, in fact, greatly increase legal liability.
For example, how do you deal with search and seizure? What about remote wipe of a device that negatively impacts an individual’s data? Many questions should be considered as part of a legal risk analysis to ensure that moving to BYOD does not significantly increase legal liability.
Identify and communicate a legal strategy
Once it has been decided to move to a BYOD approach, it is absolutely necessary to ensure that this decision is incorporated into governing legal strategy. The strategy must include adding employee agreements that cover acceptable use, remote management and wipe capabilities, and appropriate data handling requirements, to name a few.
There are at least three main actions to undertake at this stage:
- Ensure that the approach is legally defensible. A risk analysis may reveal increased risk factors for a BYOD program. Documenting a logically sound decision to move forward, as well as accounting for any advice offered by subject-matter experts, will be imperative in proactively preparing a defense should a BYOD-related data breach occur.
- Ensure that agreements are signed and iron clad. Allowing personnel to have business data on their personal devices is not necessarily new, but having it be officially sanctioned likely is. The business will have to maintain a degree of remote management responsibility for the device (minimally, remote wipe). It must be made very clear to the employee that their device is being managed, as well as ensuring that privacy rights are clearly delineated.
- Ensure that awareness programs address the topic. Once new policies and practices are in place, it is important to launch an awareness program to proactively educate personnel on their rights and responsibilities. The goal is to set expectations, as well as to guide personnel to approved processes for participation in the program.
Deploy mobile device management
Finally, it is important to choose mobile device management (MDM) software that will be able to support multiple device types.
In moving to a BYOD policy, the organization must grapple with having less (if any) control over the selection of devices. Personnel are more likely to trend toward popular devices, which can be both good and bad.
On one hand, newer devices are more likely to support management software. On the other hand, devices may initially be too new to support the MDM software.
It is important to understand the market when reviewing MDM solutions to ensure that they support a broad range of products. Today there are at least four mobile device platforms to consider: Apple iOS, Microsoft Windows Mobile, Android, and RIM BlackBerry. Each platform has unique attributes and separate codebases.
MDM software should minimally provide remote wipe capabilities, and will ideally include additional capabilities to help track data and applications. Solutions may also provide additional security capabilities like AV, backups and secure file-sharing.
Moral of the story: Look before you leap
Allowing personnel to bring their own cutting-edge mobile devices into the enterprise can seem quite alluring for reducing business expenses. However, a quick analysis may prove otherwise.
Despite potential benefits (e.g., responsible handling of devices) and increased personnel happiness, the increased risk could have grave consequences. If an organization decides to move forward with a BYOD program, it should take proactive steps to ensure that proper legal agreements are in place governing participation in the program, as well as in deploying MDM solutions that can reduce information risk exposure.
The decision to move forward with BYOD should not be taken lightly and should be as well informed as possible.
Ben Tomhave helps global enterprises, SMBs, and service partners with integrated governance, risk, and compliance in his current role as Principal Consultant for LockPath, a GRC software company. He is a Certified Information Systems Security Professional, co-vice chair of the American Bar Association Information Security Committee, member of ISSA, and member of the IEEE Computer Society. Prior to his current endeavors, Ben has worked in a variety of security roles for companies including BT Professional Services, AOL, Wells Fargo, and Ernst & Young.
Top image courtesy of igor1308, Shutterstock