BYOD — Bring Your Own Device — is an acronym we'll probably hear a lot of in the coming months, as more people use their personal smartphones, tablets and laptop computers in the office. Sometimes it is the employee's choice to use his or her own device. Oftentimes, however, it is the employer who encourages the use of personal devices as a way to save corporate money. For every employee who uses his or her own smartphone or laptop, that's one less item that the business needs to purchase and maintain.
Personal devices used for business purposes have been a security concern for companies ever since the line between business and personal began to blur. The question has long been over how much control the company IT department can have over something it doesn't own.
However, the reverse can also be true. Using a personal device for work can create security risks for the employee as well.
Blurring the line
"The use of your own device allows your company to have access to information about how you spend your time while you are not at work," said Dave Montano of Quest, a technology consulting firm based in Sacramento, Calif.
"Using your own computing devices at work blurs the separation between the employee's personal and professional life," Montano said. "In addition, if a corporation decides to wipe the data on a BYOD, it may destroy personal information that was not backed up. The employee risks the loss of personal pictures, music, notes and so on."
There could be legal consequences as well, as Philip Lieberman, president of the Los Angeles security-solutions firm Lieberman Software, pointed out.
"Should an employee's device contain sensitive or proprietary information that is transferred to their new employer," Lieberman said, "the employee could be subject to serious legal consequences."
There is also the question of whether or not an employer has the right to investigate information on an employee's personal device. Stephen Midgley, vice president of global marketing at endpoint security firm Absolute Software in Austin, Texas, believes this issue will often be debated in 2012.
"A key mandate for IT is they are accountable for securing corporate data," Midgley said. "The challenge, though, is often they are not directly responsible for the many of the devices that contain corporate data.
"On the employee side, they are used to having freedom of choice when it comes to using their own devices. However, that all changes when employees use their own devices to connect to their employer's network," he explained.
"Once an employee makes the decision to use their own device, they have to forego the expectation to the same level of privacy they had prior to that connection point," Midgley said. "In other words, corporate security trumps individual privacy. It can be a slippery slope."
Giving up control
Patrick Bedwell, vice president of product marketing at corporate IT security firm Fortinet of Sunnyvale, Calif., is seeing another trend. In return for enjoying the freedom of a BYOD policy, employees often have to let their employers' IT teams install a remote-access application on the device.
"These apps are intended more to ensure baseline configurations are in place before allowing access, e.g., corporate password policies enabled and the ability to wipe the device if lost or stolen," Bedwell said. "The employee gets the benefit of choosing the device he wants, and the company gets the benefit of not having to issue devices and is able to enforce access policies on devices it doesn't own."
There are also apps that give employees some separation between work and pleasure.
"Apps like AT&T Toggle separate and safeguard business data on employee-owned mobile devices, creating a distinct work mode apart from the typical personal mode on a single smartphone or tablet," said Ed Amoroso, chief security officer at AT&T in New York. "It helps provide a technical basis for separating the day-to-day usage of personal versus corporate tasks on a device used in both environments."
Amoroso added that in order to establish and enforce a proper security policy, it's smart to create and maintain a partnership with a mobile service provider.
"Many of the types of attacks that are emerging in the mobile ecosystem can only be stopped via real-time policing and filtering by the service provider under an explicit security service level agreement," he said. "Just loading a security app onto the device is simply not going to be sufficient."
Before you agree (or insist) to use your personal device for business purposes, Erin Kelley of the Chicago-based IT service provider Simply Smart Technology suggested that you ask yourself — and your boss — the following questions:
— Who buys the software? Users need software to do their jobs, but some business software is very expensive.
— If a user brings in his or her own laptop, smartphone or tablet, who manages the hardware, software, anti-virus and backups for that computer?
— How will BYOD users access company resources such as file-sharing systems and printers? In most cases, the user's machine will need to be joined to the corporate network to receive access to such resources — but then it will also have the ability to copy proprietary information and spread malware.
— Once a user's laptop is a part of the corporate network, the IT admins may have full access to the laptop's content. Will the user consent to having his personal machine and documents exposed?
— If an employee decides to leave the company, how can his or her current employer be assured that company information will be returned if it lives on a device that the company can't physically take back?
— Security controls are generally implemented to provide for the security and consistent availability of all the computer resources for all employees. How will the user's own device be granted the access it needs to company resources while protecting other users?
— Will the user's laptop be backed up with the other corporate computers? If not, can the user be relied on to manage his or her own backups?
— Who fixes things when they break? Will the IT support department have to fix a computer or device that it didn't spec out, manage or safeguard? Or will the user have to find an outside tech-support company?
Image provided by Shutterstock and Vadym Drobot.