Tech Watch: Balancing BYOD and physical security

How to ensure your company stays safe in the ever-changing world of mobile communications

The Inherent Risk of Mobile Computing: Where’s my Phone?

Most can relate to the panic felt when you think you lost your mobile phone.  You call the number and start walking around the house hoping to hear that familiar ringtone. This is such a common dilemma that there are applications that enable owners to locate, lock or erase the phone remotely from another computer if it’s lost. 

BYOD companies have even more to lose should a device that has confidential information be compromised as a result of an employee losing their phone or worse, have it stolen in a targeted attempt to gain access to company information.   Most mobile applications rely on the password lock feature of mobile devices.  The end result is that the strength of password is all that lies between unauthorized users from gaining access to all the applications on a device. 

Passwords come in many different flavors, from 4 digit PIN codes to 10-12 digit code or higher; alphanumeric combinations that require upper and lowercase combinations with special characters, generally referred to as "strong passwords."  When you think of the information that can be accessed, let alone the ability to physically compromise a facility with a smartphone, you would hope that employees use strong passwords to protect their BYODs. 

In reality, this is often not the case despite typical company policies on the matter.  Imagine having to type in "T1ab3%o0wp" in order to tell your spouse that you are picking up sushi on the way home from work.  Thus, in many case, employees use a simple 4-digit password or disable password protection all together.  A recent survey from McAfee claims that a third of smartphone users don’t password protect their devices at all.  Not only are sensitive company emails and documents now accessible, but if the employee’s company uses NFC for access control, the thief now has a key to the building.

BYOD Best Practices

Before giving your employees free reign to use whatever device they feel completes them, make sure to confer with IT management. They hopefully have developed a BYOD policy with proper security procedures.  At a very basic level, the employee should sign a disclosure statement that informs them of the BYOD policy - which at a minimum should include the use of strong passwords.  The BYOD policy should also make it clear that company information is the property of the organization and should be returned or deleted if the employee leaves the company. 

Taking it a step further, there are technology solutions that ensure company information is kept secure in the event of a lost phone or if a disgruntled employee leaves for a competitor.  Mobile Device Management (MDM) software solutions offer varying levels of control that help secure content and force compliance for users.  Some of the functionality includes over the air distribution and configuration of applications, compliance management of passwords and, in extreme cases, remote lock and erase of data or applications. 

That being said, companies need to tread carefully when considering deleting information on employee-owned devices.  There are several lawsuits surrounding this practice where an employee’s personal photos, contacts and information were locked or deleted due to non-compliance of corporate policy.  When possible, your BYOD policy should give the employee notice by stating clearly which applications and information would be deleted should the need arise.  Many MDM platforms offer this ability to selectively delete only those applications and information that are company property.

BYOD: The Right Applications for the Right People

Despite its potential security challenges, BYOD brings freedom of choice to a generation of skilled workers who expect business applications to coincide with the likes of Pinterest and Instagram.  With the right tools, this trend will not only improve efficiency, but it directly impacts the bottom line – not to mention providing first responders, law enforcement and security personnel with critical situational awareness in an emergency situation.