I am rather naïve in respect to technology. Most often, I find it easier to leave the issues to the IT experts in my professional setting and the young people in respect to my personal life. However, I was recently intrigued by the Macomb-OU INCubator Lunch and Launch entitled “BYOD (Bring Your Own Device): How Personal Devices Put Your Organization at Risk.” I did some juggling, attended the session and found it well worth the time. Kathy Ossian of Ossian Law and Bob Brietman of IT That Works presented the information which, even for me, was easy to understand and quite interesting. I felt a good deal of the education was worthy of passing along, particularly for those like me who may be somewhat uninformed in respect to technology!
BYOD is the practice of allowing employees and contractors to use personal devices, including smartphones, tablets, laptops and home computers, to conduct an organization’s business. The lack of control over business information accessed and stored on personal devices can lead to legal issues involving privacy, security and data retrieval. Whose responsibility is it to protect and secure a BYOD tablet? What happens to company data if a personal smartphone is lost or stolen? What privacy rights does an employee have in personal data stored on a BYOD laptop? Could an organization be sanctioned if a contractor deletes data from a personal laptop that falls within the scope of a request for documents arising from litigation? What happens when an employee using a BYOD device leaves the organization? Having both effective policies and technical solutions is key to managing the risks of BYOD.
The facts and figures are staggering: one laptop is stolen every 53 seconds, 113 cell phones are lost or stolen every minute and 80 percent of the cost of a lost device results from a data breach. Whether you are one of hundreds of millions of individuals who utilize a personal device in a professional setting or if you’re using your employer sponsored/provided device in a personal setting, there are risks you should be aware of, policies that should be in place and understood, and protections that should be considered. For instance, are you aware that many of the popular and free device applications may actually be fairly detrimental? For example, the ever popular Dropbox has a significant history of security breaches.
What can you do to protect yourself and/or your business? Obviously, the risk cannot be eliminated; however, Kathy and Bob suggest taking reasonable action which will provide you with manageable control, protect your data, and limit your legal liability. Consider installation of mobile device management software, provide training to maximize the benefits of the software, and implement policies to be followed should a breach occur. Consider restricting utilization of cloud base applications and learn about containerization, a solution that creates an encrypted data store, or container, on a device. Access to data in the container requires secure authentication independent of any other device settings or restrictions.
I was somewhat relieved to learn that I am not alone in terms of failing to keep pace with ever changing applications of technology; the courts are, too! For now, Kathy and Bob suggest taking a prudent approach to managing your devices and you should be in good shape!