In a previous post1 I raised three pitfalls that your BYOD program cannot afford to ignore when allowing employees to use their personal devices for work:
- Remote deletion of personal data on an employee-owned device
- Tracking an individual’s location
- Monitoring an employee’s Internet access
Based on my involvement with various BYOD projects and my ongoing conversations with many industry experts, here is my recommendation for three best practices that will allow you to strike the delicate balance between employee privacy and corporate liability :
Have a Comprehensive, Clear Policy that explicitly covers these issues of data deletion, location tracking and Internet monitoring.
HR, Legal, and Communications should provide their expertise to create the actual document. This is not solely the IT department’s responsibility. It requires far more than a little box to check off, as you would when accepting a software user agreement. The details must be read, understood and signed off on. Employees must be trained.
To that point, the policy document must be in clear layperson language, and spell out all the bad things2 that could happen to your device in a worst-case situation. For example: If my smartphone/tablet is stolen, the company will remotely wipe any sensitive corporate data from it. I understand and accept that there is potential risk to my personal data.
The policy should cover possible confiscation of a personal device—if the company’s electronic communications and actual devices should be impounded during an E-Discovery legal case. Here, the company should state its position about replacing an employee’s personal device.
The company must be up-front in acknowledging that in exchange for using the corporate network, IT will have the ability to locate your device at any time.
Finally, with respect to monitoring Internet activity, the policy should be exceedingly clear: Any data I access through the Internet when I am attached to the corporate network may be monitored and logged. The company has a responsibility not to divulge my personal information, unless there is criminal activity that the company would be obligated to report to authorities.
Do Not Assume That One Policy Size Fits All Users
Design your policy with the ability to tailor it for different groups of users and limit device control and user tracking to the minimum required by your company’s regulations.
There is no need to require an employee to accept the possibility of personal data wiping if s/he only uses the corporate network to browse the Internet. On the other hand, an engineer needing access to the company’s Intellectual Property needs to accept a different level of privacy exposure.
Work with functional managers to help determine the degree of access you grant.
If you are dealing with a senior executive, your role may be to personally detail the potential exposures of sensitive corporate data.
Deploy the Right IT Infrastructure for Your Situation
The right IT infrastructure for Consumerization may include deploying different solutions to mitigate the pitfalls of employee privacy while securing corporate data.
Use as much virtualization as possible. VDI or other similar means to provide remote access to corporate applications from laptops and desktops is an approach I recommend where employee privacy is of concern. No corporate data resides on the employee device, so there is nothing to wipe out. Likewise, there is no need to track location, because everything is happening inside your data center. There’s also nothing to monitor in the device itself, because the virtual desktop activity is local to your corporate network.
Mobile Device Management is needed to secure smartphones and tablets where the virtual environment does not work well because of the small screens, or because the target mobile operating system doesn’t provide true VDI support yet – such as Apple iOS and Android.
Consider pseudo virtualized solution3 for Android devices. These essentially split the ‘personality’ of the smartphone, which allows the user to have separate user identities by partitioning the personal and corporate sides.
In conclusion: Consumerization and BYOD are real4 and here to stay. Rather than resist it, organizations should embrace BYOD programs to unlock the business potential of Consumerization. This requires a strategic approach5, new flexible policies and appropriate security and management tools.
COMING NEXT: Educating Employees about Individual Privacy
Reference1 Consumerization 101 – Employee Privacy Vs. Corporate Liability. http://consumerization.trendmicro.com/consumerization-101-employee-privacy-vs-corporate-liability/
Reference2 The Dark Side of BYOD – Privacy, Personal Data Loss and Device Seizure. http://consumerization.trendmicro.com/consumerization-byod-privacy-personal-data-loss-and-device-seizure/
Reference3 MDM not the only avenue to BYOD security. But technology is simply not there yet. http://consumerization.trendmicro.com/mdm-not-the-only-avenue-to-byod-security-but-technology-is-simply-not-there-yet/
Reference4 Trend Micro Consumerization Report 2011. http://bringyourownit.com/category/the-consumerization-report/
Reference5 Consumerization Talks with Ken Dulaney, VP Gartner Research. http://bringyourownit.com/2011/06/28/consumerization-talks-with-ken-dulaney-vp-gartner-research/