The BYOD revolution: Why your own employees might be scarier than hackers
Is your workplace part of the BYOD revolution? With or without your approval, it probably is. BYOD is the abbreviation for "Bring Your Own Device," a reference to the proliferation of employee-owned smart phones, notebooks and personal computing devices used in the workplace. Even companies that supply devices to workers often find that their employees are replacing or supplementing company-sponsored tools with the faster, sleeker personal devices they favor.
Many companies are embracing the change. A survey by Citrix last year found that bring-your-own-device is quickly becoming an accepted business practice, with 25% of both large and small employers worldwide supporting the use of personal devices for business purposes, and many are reporting jumps in productivity associated with use of these devices. But dual-use devices are not without their problems and risks. According to the survey:
- More than 67 percent of survey participants reported that they don’t have any policies, procedures or IT systems in place to manage the use of personal devices for business purposes.
- Less than half of U.S. firms (46 percent) are aware of all the devices their staff are using for business purposes.
- 32 percent of firms are most concerned over the security implications of allowing application and document downloads on personal devices
- 23 percent are concerned over personal devices trying to get remote access to the corporate network.
Security is an enormous issue, particularly for any firms that have customer data privacy and security issues related to HIPAA or financial data. The average data breach costs a company $7.2 million, or $214 per breached record.
We have met the enemy and he is us
Many companies deploy substantial security resources to guard against hackers but are inadvertently leaving the back door unlocked. In a recent survey of IT managers, 72% of respondents said that careless employees have been a greater security threat than hackers.
Top factors IT pros cited include:
- 62% - Lack of employee awareness about security policies
- 61% - Insecure web browsing
- 59% - Insecure Wi-Fi- connectivity
- 58 % - Lost or stolen mobile devices with corporate data
- 57% - Installation of corrupt apps
- 53% - Lack of security patches from service providers
Here's a good infographic - excerpt below - which breaks down some of the numbers and stats on securing today's mobile workforce.
Risk management: Best practices
This is not likely to be an issue that lessens in significance over time. Employers need to understand the risk and the exposure, and need to take steps to mitigate the risk. These steps will include a combination of well-crafted policies, safe computing training for employees, and technology solutions. Here's a toolkit of good articles to get you started.
HR Hero offers a series of posts from employment law attorney Taylor Chapman around the issue of dual-use devices. In her first post, BYOD - When Employees Bring Their Own Devices to Work, she discusses the trend of employees the real-world concerns associated with the practice, and different approaches employers can take to policies. In Managing the Risk of Employee Use of Personal Technology, she discusses the legality of accessing employees’ personal devices and how employers can mitigate the security risk that comes when employees use their own technology at work.
Roger Cheng of the Wall St Journal covered the topic about a year ago in his article How the smartest companies are letting employees use their personal gadgets to do their jobs. He offers approaches that several companies are using, from policies requiring the use of locks, an agreement that the device will be wiped if lost or stolen, the ability to wall off data, and virtualization.