In Part 3 of "It's 2013. Do You Know Where Your BYOD Policies Are?" we will address developing BYOD trends and best practices. Please check out Part 1 and 2 of this 3-part series addressing employee and employer concerns, respectively.
Recent Findings: Widespread Adoption, Lagging Management
Recent studies show that security practices and corporate policies are struggling to keeping pace with the popularity of BYOD. As mentioned in Part 1, a recent Cisco study found that 90% of full-time American workers use their personal smartphones for work purposes. Surprisingly, widespread adoption is reported in industries handling highly sensitive and regulated data: banking at 83.3%, and healthcare at 88.6%.
Given that BYOD has become the norm even across sensitive industries, it is troubling to learn from the Cisco study that 40% of workers do not use even basic password protection, and 50% report accessing unsecured Wi-Fi networks. These loose security practices may be the result of lax management. A recent report commissioned by the Logicalis Group showed that only approximately 30% of BYOD users in the U.S., and 20.1% worldwide, signed a mobile device policy. Unconstrained digital activity poses a real threat to an organization for all of the reasons described in Part 2 to this series. A properly enforceable and enforced corporate BYOD policy may be the best strategy to balance corporate security interests with the privacy interests of employees and third parties.
Overriding Theme: Security-Privacy Balance
Appropriate BYOD policies must strike a balance between security and privacy interests. This balance can be achieved, for example, by requiring segregation of personal data from work data on a device, selective wiping, and requiring employees to frequently back up device content. Security measures should be proportional to the security risk and target corporate, not private, content whenever possible. Finally, privacy provisions of a BYOD policy must be clearly communicated to employees, and their consent obtained. An employee's reasonable expectation of privacy can only be overcome with clear notice. Clear notice is more important than ever when BYOD blurs the line between personal and work spaces.