Security Experts:

Do You Want to Bring Your Own Device?

I use mobile devices every day. I have a smart phone. My household also has four laptops, an iPad and a Kindle Fire. Most professionals I know have at least a smart phone, and many have additional devices. Mobile devices are everywhere.

But, how do you get mobile devices into the work place? Yes, there are companies which provide devices for employee use. I know of a couple. But based on my own personal experience, I would have to say that Bring Your Own Device (BYOD) is more widely embraced. I believe that BYOD has, for the most part, won the “mobile” battle in the professional world.

BYOD requires an internal support and policy infrastructure of its own. Starting with a policy…

Wait a minute.

BYOD PolicyThis isn’t about the corporation. This is about you. I mean, it is your device, right? So, what do YOU do about BYOD?

The fact that it is your device makes it easy; you get to use it. Right? Kind of. But, HOW you use your device probably makes the fact that it is “your device” pretty much irrelevant. At least, that would be true if the business is doing the things that they need to do to make BYOD successful.

Restricted Use?

You are using your device. You should be able to do anything you want with it right? You can make calls, check email, install whatever apps you want, stream videos, browse the internet, use social media – you know, all of those things for which a smartphone was really designed. You even have the right to gamble or browse porn if you really want to.  One of the catches is that there is a decent chance that you have agreed to restrictions on the use of a device you use for work. If it is BYOD you probably have pretty good freedom, but I have seen more than one policy where the user was being asked to agree with restrictions on websites they would visit and applications that they would download to a device that was also used for work. In the last one I saw, the user was being restricted from installing ANY application on his phone without work authorization, and his fantasy football site was banned. Yes, on his device.

My sample set is limited, but from my personal experience, I would estimate that a significant number of organizations are adding usage restrictions to your own personal device. Are you ready to agree to stipulations on the way you use that device you own because some fraction of the use is for work purposes?

Damage Liability?

If it is your device and you leave it on the bar, or drop it off a roller coaster, or have it in your pocket when you jump in the pool to rescue your dog as he sinks below the surface because he tried to walk out on the pool cover (not that I know anyone that any of those happened to), you better be hoping you have insurance or you are probably buying a new device. That process is only slightly painful.

But, if you have your own device on a work trip, and you leave it in the taxi on the way to the hotel, is your company liable for replacement of the device? I once worked with a guy who squeezed through a steel vault door as the door swung shut. As he squeezed through, the handle on the inside of the door struck firmly against his pants pocket, cracking the screen on his cell phone. It was his phone, but if he had not been on the job it would not have gotten broken. He was, by the way, unsuccessful in his efforts to get the company pay for his phone. But that does not necessarily mean that the company was not liable, since he was using his own device for the benefit of his employer, and would not have been there if it was not for work.

But, that does not necessarily make the process any easier. What are his options now that work has said they were not paying? He can try to make a big deal about it and escalate internally, sue his employer, or suck it up and buy a new phone. Now, if he wants to remain an employee in good standing with his current employer, how many of those options does he really have?

This is one of those things that should be spelled out in writing in your agreement to use your own device.

Data Protection?

This is the big issue that does not get nearly the attention that it needs. If it is just your data on your device, it is only your problem if your device is lost or stolen. It kind of sucks, but if you just have your friends and family in your contact list, it is inconvenient, but it is probably just inconvenient.

If you have work contacts in your device do you worry about the loss of that information? Maybe. That probably depends on what kind of backup you do for your device, and how easy it would be to restore that information. Both Apple phones and Android phones have multiple ways to backup your contact lists and other information. If you are backing up your contacts, you can get a new phone and potentially restore your contacts. The process costs you a little time.

Complicate this if you are in a competitive business and you store your business contacts in your phone. I have dealt with many clients who specifically requested that their connection to my company remain anonymous – no one is supposed to know that we worked with them. I have worked on classified contracts where the name of the actual buyer was classified. Now, what if I had contacts for those relationships in my phone? I have potentially divulged information that the company has contractually agreed that they would keep confidential, potentially opening my company to litigation and other sanctions. And that is just from the contact list.

Even more, what if you access work email, and store email and attachments on your device? How much corporate internal information could you have on your device before you start worrying about the exposure of that information in the event it is lost or stolen?

What if the data you are consuming on your device is protected under regulatory control? Perhaps Dr. Brown has current patients in his contact list. Or perhaps he has access to hospital email that is usually pretty good, but sometimes some protected health information (PHI) slips in. And in some cases he gets specific diagnostic information sent to his device, like MRI results, an x-ray, or blood work results. It takes no time for his ordinary work to get PHI on his device. The organization is responsible for the information because they are effectively the custodian of the information that they have gathered for the patient. But, Dr. Brown is also responsible to follow those same rules and protect that information. It may be unclear what level of protection the organization asserts on Dr. Brown’s personal device. But that point is somewhat moot. If there is PHI on Dr. Brown’s personal device, then that device must be protected at a level that will meet HIPAA and HITECH requirements, potentially including breach notifications, depending on exactly what level and volume of PHI Dr. Brown retains.

The same rules would apply for PHI in a financial organization. If you get credit card data on your mobile device, then that device must be protected according to the rules of the PCI standard.

In either case, this is true even if the device owner is not involved in processing the information. I once worked with a guy from the IT group of a large hospital. When there was a system error or alert, his internal systems sent a text message to his phone with relevant information. Unfortunately, that alert would sometimes include PHI information if it fell in the logs being alerted. For this particular organization, it was common for the IT guy to have PHI on his phone. I would have a hard time believing that this is an isolated case.

The point is that regardless of how it gets there, if regulatory protected information gets onto your device, you are obligated to protect it. Are you fully prepared to guarantee that everything you are doing on your personally managed device fully meets the obligations of you and your organization to protect sensitive information? Can you guarantee HIPAA, HITECH, PCI, FFIEC or other regulatory compliance on your own device? Do you really want to?

Maybe the benefits outweigh the gains, but these are all conversations you should have with your organization if you are contemplating BYOD.

Related Reading: BYOD - One Size Risks All

Subscribe to the SecurityWeek Email Briefing
view counter
Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.
view counter