Most bring-your-own-device policies focus on how employees can use their phones or tablets on the job — and rightfully so. Employees will inevitably use personal devices to perform company tasks, and creating a policy that defines how they are allowed to access corporate information is an important initial step to keeping an organization’s data safe.
But what happens when an employee quits or gets fired?
For many companies, the answer is troubling, said Forrester Researcher Inc. analyst David Johnson. “Companies do not put enough thought into how BYOD ends,” he said. Yet that can be where the biggest risks reside. If an employee leaves and you don’t have the technology and policies in place to recapture company information instantly, that data will likely walk out the door with them, he said.
Or worse, those ex-employees could continue to access the corporate intranet, said Mike McAlpen, executive director of security and compliance for 8x8 Inc., a hosted Voice over Internet Protocol service in San Jose, California. McAlpen has had previous employers fail to turn off his privileges for remote access to the company’s network after he left the firm.
“I finally had to do it myself,” he said.
The Right to Wipe
That experience taught him to be hypervigilant about 8x8’s BYOD strategy for exiting staff, and to rely on a combination of policies, technology and audits to keep his network protected.
At 8x8, employees are only allowed to log on to the company network from personal devices as guests, which gives them access to email and basic company data, but prevents them from downloading any sensitive documents. The company policy also clearly states that devices will be monitored to ensure compliance, and that a “remote wipe” procedure will be triggered immediately if they leave the company.
“It used to take up to two days to wipe a device, but now we can do it in real time,” he said.
To verify that his system is constantly secure and that no former employees have slipped through the cracks, McAlpen regularly runs network vulnerability tests, tracks who is using the network, and conducts weekly user audits to make sure no unauthorized users have accessed the network. “Our approach is to trust but verify.”
Companies may also want to consider who is allowed to use their devices for work, said Nicholas Lee, senior director of end user services for Fujitsu America Inc. in Richardson, Texas. Only about 5 percent of Fujitsu employees participate in BYOD program, and they must complete an assessment to determine whether they qualify.
“It’s mostly executives and the sales team who are on the road a lot and need the flexibility,” Lee said.
Lee is mostly concerned about the complexity and cost of offering maintenance services for so many devices, but there are legal issues and data security risks that companies don’t always take into account when they let all of their employees take advantage of BYOD. “If the position doesn’t require BYOD, they shouldn’t use it,” he said.
To make sure those employees who do use the program don’t leave with company secrets, Fujitsu relies on encryption technology, partitioning on employee devices to keep company data separate from personal data, and instant data wipes of those partitioned sections as soon as an employee leaves.
The use of wiping technology protects company data, but it has to be handled thoughtfully, he said. “Wiping an employee’s device can be a delicate situation, both legally and politically, and you need to explicitly state how that will happen in your policy.”
Having carefully crafted policies and technologies that are strictly adhered to doesn’t just protect the company from losing data to an individual ex-employee, said Michael Elkon, a labor attorney who is of counsel at Fisher & Phillips. He works with companies on trade secret disputes. It establishes the value of that data in the event of future litigation, he said.
“One element of proving that something is a trade secret is being able to demonstrate the steps you’ve taken to protect it in the past,” he said. If companies let some employees walk out without having their devices wiped, it will make it much harder to argue in court that a piece of data is a trade secret that you have worked hard to protect. “A good BYOD policy that is rigorously applied is essential to that.”