6 Risks Your BYOD Policy Must Address - InformationWeek
12:34 PM

6 Risks Your BYOD Policy Must Address

Strong company policies are a must for managing legal and other risks of personal devices used in the workplace. Are you addressing all the issues?

3. BYOD Devices Are Subject To Border Search And Seizure.

If you've got employees that travel internationally, their devices might be subject to search or seizure at border control -- something they need to be aware of in advance if they're going to use their own when they're on the road. This falls into the category of employee awareness. They need to know, via policy and education, that they're forfeiting certain rights to their personal devices by using them for work.

4. Who's Responsible For Repetitive Stress Injuries?

Employers can manage the costs and risks of an employee getting hurt on the job in a variety of ways: Insurance, safety training, ergonomic office equipments and so forth. This would include desk-bound employees who develop repetitive stress injuries from typing, mousing or similar tasks. But what if they get "BlackBerry thumbs" from a device they own? Can they take action against their employer? If you think that sounds far-fetched, think again: Overly said they have already seen two cases where an employee at least explored a claim against their employer as result of using a personally owned device. "This is another policy and training thing: By putting employees on notice that there are issues, particularly repetitive-stress issues, with regards to the use of technology," employers can limit their liability, Overly said.

5. The Demise Of The Great American Novel.

BYOD discussions tend to focus on the hardware that made it famous, namely smartphones and tablets. But bring-your-own can include laptops, netbooks, ultrabooks and other gear -- something bound to increase if Windows 8 hardware proliferates. Overly noted a situation involving a person who alleged that his employer deleted files from a personal laptop after he brought it to the office to have security software installed. Those files included the only copy of the novel he'd been writing for years; the claim stopped just short of court. Again, this scenario -- the responsibility for loss of data on an employee-owned device -- can be proactively managed via policy, provided the employee is made aware of the risks. (That particular employee might also need a tutorial on the many low-cost options for backing up files.)

5. What Happens When An Employee Shares A Device?

A strong BYOD policy would protect the company in the case of the employee's deleted novel-in-progress. It would not do the same if that novel was written by the employee's spouse. If you've ever shared or borrowed a computer, tablet or phone with family or friends, this one's for you. Overly called shared used of employee-owned devices one of the most pressing BYOD issues around, in part because it can't be easily mitigated with policy. An employee sharing a BYOD-use iPad with his spouse certainly opens up potential issues such as corporate data loss or security breaches. But it also creates a much thornier problem in terms of potential legal action against the employer. Overly described a case in which a spouse used a BYOD device to photograph an important, one-time life event. The company, in the course of routine device management, later deleted all of the photos -- the only copies -- via remote wipe. "How does the company protect itself against a claim by that spouse?" Overly said, noting that the employer doesn't have any policy or contract with that person governing use of the device. "It's very, very difficult to do," he said. The total separation of personal and business data on employee-owned devices is "the holy grail" for BYOD shops, Overly added.

6. What About When An Employee Gets Rid Of A Device?

Employees that sell or recycle a BYOD device after upgrading pose another risk, as do lost or stolen devices. A common policy and technology strategy is to enable remote wiping of the device's data and require it as a condition of program participation. Like most protections, remote wipe is not fool-proof. But it's a key tool in managing the downside -- which can be steep simply because of the sheer volume of devices. Device disposal occurs millions of times when Apple releases a new iPhone, for example, or more incrementally when people accidentally leave their phones in taxicabs or airport waiting areas. Employee termination is another scenario where remote wipe can be crucial.

"Terminated employees [are] always a challenge because they may not be interested in helping the company with anything," Overly said.

A security information and event management system serves as a repository for all the security alerts and logging systems from a firm's devices. But this can be overkill for a company that is understaffed or has overestimated its security information needs. In our report, Does SIEM Make Sense For Your Company?, we discuss 10 questions to ask yourself in determining whether SIEM makes sense for you--and how to pick the right system if it does. (Free registration required.)

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/26/2012 | 7:58:25 PM
re: 6 Risks Your BYOD Policy Must Address
Well folks. There you have it.

If any business is still up for having a BYOD policy after understanding the legal risks, then they are just plain crazy. Same for the employee who will fork over a good bit of their personal life as part of the, ahem, bargain.

I find it hard to believe that BYOD is more cost effective than an employer provided device when you look at the the total cost of ownership (TCO).

BYOD (short of insuring us IT types a good long career) is ridiculous on many fronts... legal, technical, security, privacy... ad nauseum.
NJ Mike
NJ Mike,
User Rank: Moderator
11/26/2012 | 6:23:11 PM
re: 6 Risks Your BYOD Policy Must Address
My solution to this BYOD problem - tell my employer if they need to be to have a smart phone or a tablet, or a laptop, they can issue me a smart phone, a tablet, or a laptop. I don't like to mix business with personal, so the thought of using my personal phone/computers for work is not something I want to do.
User Rank: Ninja
11/26/2012 | 4:30:22 PM
re: 6 Risks Your BYOD Policy Must Address
"The personal devices they use at work could be examined not only by their employer but by the other party in the lawsuit."

This is why you WIPE all evidence from your phone after every call or every app used. No one spies on my private phone, ipad, or tablet. Its also helpful to have multiple fake name accounts on ALL social media. Learn to beat the busybody nosy types at their own game.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll