Forrester: Act Now to Stamp out BYOD Risks

    Jan 21, 2014

    “If you can’t beat them, join them.” That adage fairly summarizes the results of a recent Forrester study of the legal implications related to a bring your own device (BYOD) policy, “Navigating the Legal and Compliance Applications of BYOD.” According to a  January 13 Forrester blog by David Johnson, a co-author of the study, technology attorneys participating in the study agreed that “once you learn that BYOD is happening in your organization, you have a legal obligation to do something about it, whether you have established industry guidance to draw on or not.” In other words, you must take action to minimize the risk.

    If only it were as easy it sounds. As pointed out by Johnson:

    • The more restrictions you put in place, the more incentive people will have to work around them and the more sophisticated and clandestine their efforts will be.
    • There is no data leak prevention tool for the human brain, so arguably the most valuable and sensitive information walks around on two legs and leaves the building every night. Accepting this is important for keeping a healthy perspective about information risk on employee-owned devices.

    Despite the challenges, organizations need to address the issue. Intellectual property misuse and accidental data loss are the top BYOD risks cited by Forrester. Patent, trademark, and copyright infringement may be very common, writes Johnson, but they also are next to impossible to police with technical controls.

    For example, Johnson writes, if attorneys can prove that employees are using for the organization’s business purposes software they know is not properly licensed, it can be considered “willful and illegal misuse of someone else’s property” and the organization can be held liable for past licensing fees and damages.

    According to Charles F. Luce, Jr., partner at Moye White in Denver, it doesn’t matter whether the employee or the organization owns the device on which the software is installed. Johnson writes that according to Charles Gray, practice manager for Accuvant's risk and compliance business, any device used in a regulated business needs to adhere to the same regulations and industry standards as company-owned equipment. 

    Unfortunately, there is little specific guidance for BYOD policies and technical controls. Johnson says auditors tend to look to the U.S. National Institute of Standards and Technology’s (NIST) technical control specifications for guidance, but “it's often subjective because device and platforms evolve so quickly that it renders the guidance obsolete almost immediately.”

    Effective BYOD governance starts with a clear policy and education. Johnson says a signed BYOD agreement with each employee, along with adequate education on the risks and employees' responsibilities, are the absolute minimum controls that should be in place. He also recommends electronically enforcing policies for employees incapable or unwilling to do their part. 

    “A viable BYOD strategy addresses culture, responsibilities, education, policy, and technical controls. It recognizes the value that BYOD brings to employee engagement and performance and features a clear agreement between the organization and each BYOD employee that outlines what each is responsible for. Technology's role is to help foster safe behaviors, control information access, and verify ongoing compliance all without getting in the way of creativity, productivity, collaboration, or other daily activities,” Johnson writes.

    Forrester suggests creating a technology approach that promotes engagement while enforcing the policy. This means keeping employee-owned devices off of the corporate trust network while allowing access to information through secure proxies and interfaces. In regulated environments, it also means sensitive data is never stored on employee-owned devices, but in less stringent environments it can mean simply controlling access to systems of record such as customer databases to prevent anyone from walking away with a data dump.

    The ARMA International technical report Mobile Communications and Records and Information Management (ARMA TR 20-2012) also offers advice on BYOD policy design, security, and training.

    © 2016, ARMA International