Security

Bring your own device, but who owns your data?

Call it consumerization or call it BYOD, but whether we like it or not, employee-owned devices have made their way into the workplace.

In fact, Gartner predicts that 90 percent of companies will support corporate apps on personal mobile devices by 2014.

But with this new technology wave comes a string of questions up for debate: Who’s responsible for security? Who really owns the data on the devices? And as mobile device management (MDM) becomes commonplace in the enterprise, should IT be allowed to remotely wipe data if an employee’s phone is lost or stolen?

Perhaps the real question should be, why wouldn’t we want the data wiped?

Today’s mobile devices are extremely personal and intimate, knowing us better than we know ourselves. Each device holds the keys to our most important personal information. They have our exact location at any given moment, our private contacts, personal and work addresses, schedules, financial information, personal/private photos, family information, all stored on these easy-to-lose devices.

Yet a disconnect remains: When we lose our wallets or purses, we immediately cancel our credit cards and change our locks at home. Why would we treat a lost device — with so many private details and insights into our lives — any differently?

Some argue that holding out hope for the phone to be returned makes a full wipe of the device seem too harsh and too permanent of an action.

Of course, the burden is on the consumer for regular backup, particularly when most personal devices contain as much critical data as computers. Regardless, research by Symantec (PDF) shows that there is, at best, a 50 percent chance of recovering a lost device (and likely drops closer to zero percent for a stolen device).

Furthermore, there’s an 80 percent chance that an attempt will be made to breach corporate data and/or networks regardless of whether or not whoever found the device intends to return it.

But even if users and IT agree that remote wiping is the safest action to take in this case, do organizations even have the right to remotely wipe data on employee-owned devices?

The short answer is that it depends. From a legal standpoint, it is usually determined by where the organization and employees are located. In Germany, for example, it is illegal for companies to wipe personal data from an employee-owned device. These companies only have the limited right to delete enterprise data from personal owned devices, so many opt for mobile management solutions that allow them to do that.

In the U.S., laws on this are more lax (or even non-existent). Most U.S.-based companies have employees sign Employee Agreements or Acceptable Use Policies over what IT can or cannot do with their computing devices. In most cases, we’ve already given IT permission to do pretty much anything with our devices if we — even minimally — use them for work.

The truth is, there is a lot of shared risk between employees and employers, so arguing over who should delete the lost device’s data is the wrong argument. With most security matters, a pre-emptive approach is best. In this case, close collaboration and understanding of what actions to take in the worst-case scenario.

Here are some suggestions:

Open the lines of communication: Employees need to know the risks they face on a personal level, as well as the risks the organization faces.

Create a plan: Don’t wait until a device is lost or stolen before figuring out the right course of action.

Have the right tools and technologies in place. There is a plethora of both personal and commercial options for automatic backup, remote wipe, security, and management of devices. With the amount of sensitive data we carry on our devices every day, there really is no excuse to be caught off guard.

Speaking of tools and technologies, it’s an exciting time to be in the mobile workplace. Employees’ and IT departments’ tech savoir faire is evolving at an unprecedented rate as groundbreaking technologies, devices, and apps make their way into the workplace.

Whether it is traditional MDM, Mobile App Management (MAM), Mobile Risk Management (MRM), virtualization, containerization, app wrapping, consumer or enterprise solutions, or a combination of these, there are a lot of innovative solutions out there. Now is the right time to figure out the best approach for your company’s mobile management and security strategy.

In the new enterprise mobile world, who owns security, data, and the responsibility of keeping our privacy, security, and sensitive information safe? In this case, I’d argue we are all on the same team.

Just as the new mobile world is about connectivity and hyper productivity, it is also a world of partnerships and trust. After all, when you use your device for personal and work purposes, it’s not your data or my data. It’s our data that is at risk.

Domingo Guerra is the president and co-founder of Appthority, a company focused on mobile security in the enterprise.

Top image courtesy of Viorel Sima, Shutterstock

blog comments powered by Disqus