As technology continues to infiltrate every aspect of society, Bring Your Own Device (BYOD) is a term that has become widely adopted, referring to employees who take their own technology devices with them to the workplace. In many companies, employees now have the opportunity to connect their personal devices, whether it is a smartphone, laptop or tablet, to a secure corporate network, allowing them to work from any location, at any time.
IT research firm Gartner recently confirmed BYOD to be more than a passing trend, predicting that by 2017, 38 percent of employers will stop providing their workers with company devices, arguing that BYOD provides key benefits to businesses, such as lower costs, higher employee satisfaction, and the ability to create new mobile workforce opportunities. Furthermore, companies are noticing increased activity from their employees during after-work hours and public holidays, due to the ease of checking work emails from any location, thus encouraging individuals to become permanently attached to their devices.
The concept of BYOD was thrown into debate recently when Google Inc reported that it has acquired Divide, the New York based technology start-up that lets users separate their work and personal data on smartphones and tablets. High street giant Apple is also catching on to the potential of BYOD, incorporating compatible features into future models through a split-screen function, as an advance on its current single-screen design.
However, the predicted growth of BYOD will make the distinction between work and home life increasingly difficult to manage. Companies therefore need to urgently address their protection strategies against the potential loss of intellectual property and other negative effects of BYOD.
Creating a solution
Divide’s software provides firms with the ability to manage the personal smartphones of their employees, creating a secure area on a phone to sync and store data for the workplace. It is a mobile app that is said to securely separate a consumer’s personal data and the corporate data contained on a phone or tablet, making it easier for businesses to manage disparate personal devices.
The Divide app appears to be a solution to bring the blurred lines of BYOD into focus, but this self-service approach can only be truly effective if companies ensure maximum security on devices. Divide allows its users to switch easily between personal and secured work applications and also lets employers wipe data remotely in the event that a device is lost. Despite this, corporations still risk losing their company-sensitive data and intellectual property in the event of an employee mislaying their personal phone.
The risk factor
If not managed and monitored efficiently, BYOD could potentially lead to loss of control, impact network availability, and cause data loss. If abused, it can also allow employees to violate regulations, rules, employer-employee trust, intellectual property and other critical business obligations. In order to avoid this, companies must implement appropriate network access strategies and security policies to protect themselves in case the worst does happen.
In regulated industries, such as banking and financial services, where data breaches can attract large fines, managing security on employee devices is of particular importance. One of the most memorable fines was in 2009 when HSBC was fined over £3m by the Financial Services Authority (FSA), the Financial Conduct Authority’s (FCA) predecessor, when customer data was lost in the post. At the time of the investigation, the FSA said it discovered that large bulks of unencrypted or otherwise unprotected customer data were sent via post or courier to third parties. Internal members of staff were also found to be insufficiently briefed on the resultant risks of identity theft. There was also other data left exposed to loss or theft on open shelves or in unlocked filing cabinets.
The communication question
The continuing integration of social communication into every aspect of society has presented a challenge for companies, as the environment is increasingly dynamic and connection possibilities are limitless. Access to social media on personal and company devices, for example Facebook and WhatsApp, is extremely difficult for companies to monitor as they are operated on smartphones as opposed to PCs. Firms must therefore act fast and ask themselves if they wish to allow these applications to be used on company devices at all.
Many companies are employing software which enables them to block social networking sites from the workplace, due to the posed security implications. However, for every preventive measure applied, there will always be a way around it, especially if BYOD policies are employed, as these applications will be virtually impossible to control. Companies must therefore instil regular training processes to ensure best practice and raise awareness of the issues.
If a breach of intellectual property is encountered and it reaches the stage of investigation, an experienced investigator will be looking to determine patterns in an individual’s behaviour. They will not only focus on trying to find the ‘smoking gun’, but also on detecting supportive intelligence that helps bring the overall picture into sight. This can include finding out which employee is connected to whom, recent movements that relate to other sources of evidence, and so on. Investigations of all available social sources can help build a picture around the scene of the crime.
Firstly, the investigator needs to understand where any relevant data is, and then how to capture it in a forensically sound manner. This is harder than it sounds, especially given the vast quantity of mobile devices, cloud computing platforms, social media accounts, etc. This can make it legally confusing, especially when considering personal devices used under BYOD policies. The company must then ask itself if it is company allowed to investigate these without consent, for example.
Evidence will come from a variety of sources. For instance, these could be corporate network log files to identify the use of web-based email, as well as other outbound activity, such as uploads to Google Drive and Dropbox. Internet history databases and cached pages of internet sites retained on a work computer can also be investigated alongside deleted data and backups of personal devices on corporate machines.
In addition, the investigators at hand should also seek to look at public social media profiles, such as LinkedIn and Facebook, as many profiles tend to be open for all to see. Traces of artefacts left behind on a computer system by certain applications, such as Skype, can provide indications of malpractice. Mobile devices can often contain more relevant evidence than computers.
Early avoidance tactics
The success of any investigation will depend on an investigator’s legitimate ability to access a personal device of the individual in question, including their social media profile. During an investigation, firms can therefore benefit by looking at all the data and analysis, allowing all results to feed into the others, in order to achieve a higher and more detailed level of analysis.
Firms should always take a preventative approach, as it always works best. Challenges facing corporate IT and security departments are well documented and largely emphasise the need for well thought-out policies and contracts that cover employee access to web applications. An individual’s right to privacy, versus employer rights to audit privately owned devices, must also be reconciled. BYOD procedures, for example, should provide a list of devices approved by the firm and determine which corporate applications can be accessed in the event of an investigation. Security policies should incorporate mandated anti-virus software, firewalls and encryption in the event that the device is lost or stolen. IT departments should therefore have the means and the authority to wipe corporate data from personal devices.
Modern technologies allow unlimited scope in terms of information collection, transfer and storage. In addition, the constant evolution and progression of devices and technical spheres means data can be accessed from any location, at any time, using numerous means. BYOD is undeniably on the rise. Firms must consider whether the benefits of the scheme are sufficient to outweigh the dangers, thus questioning whether they want to introduce BYOD into their organisation at all.
The best defence possible for companies is to banish it completely. However, with modern devices being an integral part of the lives of the younger workforce of today, this could be easier said than done. In order to continue to attract, yet contain a younger workforce, companies must employ a system which caters for, and meets these compromising demands. Ultimately, firms must get the right systems in place and take a fully preventative approach in their BYOD strategies. In doing so, companies will be able to eradicate potential problems before they rise to the surface.
Phil Beckett is a managing director at Proven Legal Technologies. He can be contacted on +44 (0)20 7015 5370 or by email: firstname.lastname@example.org.
© Financier Worldwide
Proven Legal Technologies