Category: IAM and TfA

BYOD can have some downsides

Employers know that employees prefer BYOD policies and that they can increase productivity. However, BYOD can have some downsides. Probably the most prominent concern among those who have to address the BYOD issue is the increased risk to data security. Obviously, the more devices you have with the ability to connect to your data, the more opportunities you create for a breach. Simply put, a house with 20 doors and 50 windows with multiple lock styles is a bit more vulnerable than a house with one door and one window.

BYOD increases risk to the organization. Data breaches bring a few layers of concern. First, the loss of proprietary data can affect your competitive status in the market. However, the real high-visibility concern is the theft of your customer’s personal data. Theft of personal data brings three serious consequences.

First, data breach laws require informing all victims of the data breach and in some cases, the media must also be informed. This public visibility can have long-lasting implications for brand value.

Second, you face a short- and long-term revenue hit. Customers angry and frustrated, as well as others who learn about the breach through social media, word-of-mouth, and traditional media sources, may move their business to the competition.

Third, data breaches can bring civil penalties. In the case of the General Data Protection Regulation (GDPR) in the European Union, these penalties can be extremely severe. ( And keep in mind, the GDPR doesn’t just apply to entities physical operating within the EU. It applies to the data of any user who is a citizen of the EU.)

In summary, given the severity of the consequences and the increased vulnerability created by BYOD, it is important to create a BYOD policy with strict parameters. It cannot be a “wild west” of anything goes.

Click here to learn more about our IT solutions.

Adopting a BYOD policy

Employee convenience is touted as one of the primary drivers for adopting a BYOD policy. However, just because it can make life easier doesn’t mean employees don’t have serious concerns about the implementation of BYOD in the workplace. From the employee perspective, there are downsides.

One particular issue that arises with BYOD are employee’s concerns about the privacy of personal data and applications. Because these are their own devices, they have an enormous amount of personal data, including health information, photos, texts, emails and other information stored on the device. Also, apps they may have installed could potentially reveal information about their religion, politics, sexual orientation or other characteristics that they may consider private and off-limits. Concern that their employer could see their personal data is a legitimate worry; there are Human Resource implications here. Knowledge of certain data about an employee could make an employer vulnerable to discrimination laws. What about GPS tracking? Can the employer track employee whereabouts? The employer has a compelling interest to track the device in case it is lost or stolen, but the employee has similar competing concerns about privacy.

There are no absolutely correct answers here, but a perception of overstepped boundaries could lead to an atmosphere of distrust that can be counter-productive. It is also important that these decisions be made with knowledge of all applicable local, state and federal regulations. In short, just be aware BYOD is a complex matter that can’t be handled within the silo of IT.

Click here to learn more about our cybersecurity and compliance solutions.

The reality of cybercrime requires permanent organizational change

Because cybercrime isn’t going anywhere soon, every business needs to consider changes within its organization to institutionalize its emphasis on data security. This is not a problem that can be handled within a few particular operational or administrative silos.

Here are just a few things to consider:

  1. BYOD policies: A Bring-Your-Own-Device policy, which refers to allowing employees to use their own laptops, tablets and other mobile devices instead of company-issued ones, has become common practice in many organizations. However, permitting BYOD opens up new security issues because your IT department has potentially less control over how company data is accessed. With BYOD, many additional doors are being used to access corporate databases, etc., so it can be harder to keep your data secure. Because of the ubiquity of cybercrime, IT departments need to approach BYOD with a heightened awareness of new security vulnerabilities.
  2. Employee Training – Generally a topic for Human Resources, IT needs to now be involved in designing ongoing employee training to teach employees how to be vigilant about data security, password hygiene, and similar topics. Employee errors, such as opening phishing emails, are one of the largest causes of data breach events in the business world.
  3. Operations and IoT technology – Another area where there should be a re-focusing of attention involves the Internet of Things (IoT). The IoT has, at least in part, been introduced operationally, with Line of Business managers (LOB) discovering new specific applications for IoT devices, adopting them, and then being responsible for their maintenance and security. Such devices are introduced as-needed to address discrete needs throughout the organization. As a result, IoT devices have tended to function in operational silos. The unintended consequence is that the IT department, traditionally responsible for security issues, is left out of the loop. This means that data security is un-coordinated across all of the IT facets of the organization and security vulnerabilities are being overlooked. C-level tech leaders need to recognize this and adapt accordingly.
  4. The corporate mission – In order to give appropriate recognition to the threat that cybercrime represents to the health of a business, companies should consider including security as a core part of their mission. Both B2B and B2C customers take security very seriously, so companies should realize their mission is not to “provide X product or service,” but “securely provide X product or service.” To paraphrase a car maker’s phrase from many years ago. “Security is Job One.”

Click here to learn more about our cybersecurity solutions.