The economic, social and technological landscape is vastly different than it was only a decade ago, and with the emergence of mobile technology, the threat landscape has changed dramatically. Executives must now work to safeguard information where increasing volumes of the organization’s sensitive data are outside traditional information security perimeters — due to factors such as Bring Your Own Device (BYOD).
BYOD initiatives present considerable challenges, and today’s executive must embrace these technologies or risk being sidelined by those more agile. When the trend first began a few years back, there was much more of a focus on how to control and manage it, and we started to look at things such as what devices we should be allowing. This eventually led to questions of who would be allowed to use personal devices, which in turn pushed the focus toward controlling access on an individual employee basis and mobile device-management strategies.
Who Owns the Devices in the Workplace?
Mobile-device risk in the workplace is established on one fundamental factor: ownership of the device. Employees who bring their own devices expose the organization to different behaviors and thwart long established organization controls when it comes to managing the associated risk. The fact that the employee, not the organization, owns the device has consequences that many organizations have yet to understand or apply the proper resources toward.
Some employee tablet or smartphone activities would be entirely unacceptable if the devices were owned by the organization. For example, the device may be taken to an unsuitable location where it could easily be exposed to unknown Wi-Fi networks, shared with family and friends, or have any number of personal applications on it. If the device contains sensitive organizational data or can connect to a corporate network to access such data, these behaviors greatly increase the risk of compromising an organization’s information.
Furthermore, BYOD has become the prey of hackers poised to take advantage of people who are programmed to use their devices for personal use and forget that they’re on a corporate network. A well-organized attack, whether originating from nation states, criminals, hacktivists or rogue insiders, can exploit BYOD devices by using them as a bridgehead and means of entry to an organization.
Consider and Make Use of BYOD Policy Options
Policy options enable the BYOD policy to be crafted to reflect the interplay of factors such as the information type, device ownership and the likelihood of access to more sensitive information. For example:
- Senior management or board members’ email may be permitted on one or more specific devices, but not on others
- Some information and functionality may not be made available through a BYOD device for specific groups/roles — such as commercial systems or a human resources system
- The source of apps (either off-the-shelf or built by the organization) may be restricted to those available from an in-house app store only.
For policy controls to work, organizations must be able to trust their people to do the right thing. This is only realistic if the organization provides policies, training and monitoring that make it clear what behaviors are expected of them. Behaviors can be difficult to change, and security awareness is often elusive.
Don’t Forget Digital
In today’s “digital age,” there also needs to be a discussion surrounding the importance of digital in the workplace, especially as it pertains to the boardroom. Without a doubt, every organization needs the insights of a digital director today to keep the company vibrant. When the Internet first arrived on the scene, business leaders took notice and sought to add such expertise. Today, we are witnessing a second wave of interest in what is now known as the “digital director.” The digital director is viewed as a boardroom guru who can provide knowledge on everything in the digital realm.