Cesare Garlati is the co-chair of the Mobile Working Group at Cloud Security Alliance.
Many employees don’t understand the implications of using their personal devices for work. Many companies don’t understand that they are in fact liable for the consequences. This post covers the things you always wanted to know about BYOD but were too afraid to ask.
Good News: Your company offers a BYOD program
You can finally stop carrying that boring corporate phone and use your own shiny new iPhone for work. Even better, you can now check your corporate email from home while streaming YouTube videos on your Galaxy tablet. Your company picks up part of the bill and even provides enterprise-grade help desk support to help you with your gadgets. It looks like an offer you can’t refuse.
Bad News: You joined your company’s BYOD program
One morning you wake up, reach for your iPad to check the email but it doesn’t turn on. Your iPad is dead. Totally bricked. After a quick family investigation you realize that the little one tried to guess your password to play Angry Birds before you would wake up. Too bad the security policy enforced by the corporate email account triggered your iPad self-destruction to prevent sensitive corporate data from unauthorized access.
Angrier than those famous birds? Wait until you realize that the device itself can be brought back to life and your corporate data restored. But that your pictures, videos and songs are gone. Forever. (Note: the case above is based on a true story, my son’s name is Luca.)
Don’t read on if you’re already scared. This is not the worst it can happen to your data, to your privacy and to your device. Many employees who use their personal devices for work are shocked to find out that their smartphones, tablets, and laptops may be subject to discovery request in the context of a litigation involving their company. Employees may be asked to surrender their personal devices — in which they have browser history, personal information and documents they created — as they may be subject to review by 3rd parties in connection with litigation.
The BYOD fine print
If you were too impatient to read all through the Acceptable Use Policy that you signed when you joined your company’s BYOD program, or if you simply were not too eager to know what you were really getting into, this may be a good time to go back to that document or to contact your IT or HR department to ask for clarification.
Here are the things you should know about your company’s BYOD program and that you shouldn’t be afraid to ask.
Personal Data Loss
When your personal smartphone, laptop or tablet is used for work related activities, such as access to corporate email, calendar or corporate directory, there is a good chance that your company relies on built-in features and additional software tools to secure and manage the data in your device.
As a first line of defense, many organizations enforce ActiveSync policies, pre-installed in most consumer mobile devices, to enforce password protection and remote wipe and lock. More sophisticated IT departments may request the installation of additional Mobile Device Management software agents to extend corporate IT reach into any application and functionality of your device. While security and manageability are legitimate concerns for the company, most BYOD programs rely on IT tools that don’t make a clear separation between personal and corporate data and applications. As a result, in case of unauthorized access – real or presumed – the whole content of the device is more or less automatically deleted and the device itself made unusable.
What you should ask if you are not too afraid of the answer: Is the data in my device susceptible to automatic or remote deletion? What events trigger the automatic deletion? Is remote deletion part of the standard employee termination process? Is my approval sought or required for the remote deletion? Is my personal data retained in case of automatic or remote wipe? Does the company provide a mean to recover the personal data deleted? Am I entitled to any reimbursement for the loss of personal content such as songs, videos or applications?
From a legal standpoint, the fact that you own the device is irrelevant in case of a litigation. To discover and preserve evidence, the court may require forensic review of all devices in connection with the litigation. Employees participating in the BYOD program may be asked to produce their personal devices for 3rd party examination.
You will have to make any personal information stored in your devices accessible. This includes the history of the websites visited, songs and movies downloaded and played, copy of financial transactions or statements, the list of your personal contacts and your electronic communications with them including personal emails, personal phone call, text messages and various social media activities including Facebook, Twitter and VoIP services such as Skype and similar. This extends to the personal information of any other family member or third party who may share the use of that device.
Personal data stored in the device is not the only privacy concern. Your location and your online activity may be exposed to your employer too. A main feature of Mobile Device Management software is the ability to track in real time the location of the device. The feature is intended to help determine whether a device is lost rather than stolen before initiating a remote lock or remote wipe. It can also be used to selectively disable camera and microphone when the device enters restricted company areas to prevent sensitive data loss.
Modern devices can get quite accurate at pinpointing location even when inside buildings where GPS technology is typically complemented with Wi-Fi access point detection. Although not intended for this use, your IT department may be able to track your whereabouts anywhere and anytime, deliberately or accidentally, and you may not even be aware of this. In addition, when your personal device connects on-campus to the corporate Wi-Fi network, there is a good chance that your online activity is monitored and filtered to comply with various regulation and to protect the company from any liability arising from an improper use of corporate resources.
What you should ask if you are not too afraid of the answer: May I be required to produce my personal devices for forensic analysis? Does this apply to devices shared with other family members? Who will then get access to the personal information stored in my device? Is my company able to track my location? Under what circumstances can this happen? Is my approval sought and required to track my location? Do I get notified? Are these systems active outside regular work hours? Is my personal online activity on-campus monitored and logged? Is this information retained when I leave the company?
Device seizure and loss of use
Mobile devices are small and you take them with you everywhere. No surprise they are the most likely to get lost or stolen. But when you use your gadgets for work related activities, you have a couple more reasons to worry about. Your device may become unusable as a result of a company initiated remote lock or wipe. Or you may be asked to surrender your inseparable smartphone for legal examination in conjunction with litigation. Either case you could lose the use of your device for some time and likely find yourself in need for a temporary or permanent replacement.
What you should ask if you are not too afraid of the answer: Under what circumstances may I be asked to surrender my personal device? Is the company going to provide a replacement? Who is responsible for backing up and restoring personal data and applications if the device is seized? Under what circumstances can the company initiate a remote lock of the device? Is my approval sought and required? What is the process to regain use of my device?
Former Vice President of Mobile Security at Trend Micro, Cesare Garlati currently serves as Co-Chair of the CSA Mobile Working Group – Cloud Security Alliance. Prior to Trend Micro, he held director positions within leading mobility companies such as iPass, Smith Micro Software, and WaveMarket.