Embracing Bring Your Own Device (BYOD) – Do Risks Outweigh Benefits? |
Employees at many levels are increasingly demanding more choice and control over the mobile device they use along with increased access to mobile friendly enterprise applications. In addition, they are fixated on a ‘one user, one device’ mantra and expect their smartphone device to provide access to the Internet and to host both their personal and business applications, data, etc. There is an inherent conflict, however, between a user’s desire for a single, powerful device for both business and unrestricted personal use, and corporate IT’s desire to manage and control these devices in a traditional, security-conscious fashion.
From an enterprise’s perspective though, changing the device ownership model, if done right, can significantly reduce IT support woes, reduce costs associated with hardware, service fees and device provisioning and potentially help boost employee satisfaction and morale. That said, a healthy dose of caution is in order here, since a BYOD program introduces critical risks and questions that need to be addressed. To name a few:
- Data Confidentiality – How do you effectively segregate personal and corporate data, and apply the necessary controls to protect confidential corporate information? How do you effectively wipe confidential corporate data from a personal device when lost or stolen?
- Employee Privacy – How do you enforce appropriate use policies on a personal device? What are the legal ramifications of wiping personal data? How do you deal with varying privacy laws when you have a global footprint? (What works in the U.S. may not work elsewhere!)
- Device Management and Support – How do you effectively track and manage “allowed” personal devices and differentiate from rogue devices? How do you control what is installed on and update/patch these devices? What level of support does IT offer across the exploding number of new devices, across multiple OS platforms and carrier specific implementations of each?
- Mobile Application Management – How do you securely distribute corporate mobile applications to personal devices? How do you determine which platforms/devices to support from an application development standpoint? Do you even have the right skills to support secure mobile application development?
Enterprise mobility is redefining long-standing rules for end user support, end point management, acceptable use, risk management and data protection. While a BYOD model does offer potential cost savings and employee satisfaction related benefits, it is creating significant new security and data privacy challenges for enterprise IT departments. With the proliferation of mobile devices, increasing expectations of employees and the velocity with which uninvited devices are entering internal corporate networks, these challenges need to be addressed sooner rather than later.
 |
Kieran Norton Principal Security & Privacy Deloitte & Touche LLP |
