When it comes to bring-your-own-device-to-work—or BYOD—policies, it's what employees do with their personal time that should worry you. From possibly downloading virus-ridden games to backing up everything—including your latest confidential financial report—to a public cloud, the choices employees make with their devices when they aren't working can have serious security implications for employers.
More than half (53 percent) of companies today allow users to connect their devices to the corporate network, according to a recent study published by the International Information Systems Security Certification Consortium Inc., a professional group. All that mobile connectivity may increase productivity, but it's worrisome for the information technology teams tasked with keeping corporate data safe. Fully 78 percent of security professionals think BYOD presents a "somewhat" or "very significant" risk, which is up 10 percent from 2011, according to the study, which was conducted for the consortium by consulting firm Frost & Sullivan.
Perhaps surprisingly, it's the cloud services, not the buggy apps, that present the biggest concerns. When employees use tools like Dropbox or iCloud to back up their devices, it moves all of that data outside of the company's control.
"The risk is not knowing the level of exposure," says Michael Suby, vice president of research for Stratecast, a division of Frost & Sullivan in Denver. "You have no way to tell where your data is and who has access to what."
And if the cloud service is hacked, the company has no way of finding out what if any of their business data has been compromised, he says.
How companies deal with these risks varies, depending on the sensitivity of their data, and the demands of the users.
Needham (Massachusetts) Bank has been allowing employees to use their own iPhone for work tasks since 2008, says James Gordon, first vice president of information technology for the bank. The bank supports only Apple Inc. products because his team has confidence in Apple's virus controls and operating system, however, the BYOD policy has one important caveat. "iCloud is banned," Gordon says. The bank also blocks users from using other public cloud storage tools, including Dropbox, Box and Google Drive.
If an employee isn't OK with the policy, they can opt out of the BYOD program, Gordon says. It can be inconvenient for employees who have to find alternative ways to back up their devices, but, at a bank, the risks are just too high, he says. "We have no way to control the data once it's in iCloud, and no way to ascertain if it's even there."
The IT team uses a software tool called MobileIron to keep an eye on user devices, and to remotely lock or erase devices if they get lost or stolen. They can also block any device's access to the network remotely if the user falls out of compliance with the security policy by downloading a forbidden app or contracting a virus.
But technical monitoring and control aren't enough, Gordon says. His team also relies on employee education and a simple user policy that clearly defines appropriate behavior and guidelines for device use.
"We approach BYOD as a partnership," he says. "We recognize the benefits of allowing employees to use their own devices, but you have to balance that with corporate security."
To stay ahead of the security curve, Needham's IT team are Apple beta testers, which means they have the chance to assess new Apple operating systems before they are generally available—that's how his team knew to block iCloud the day it was released.
"IT can't have its head in the sand," he says. "You have to watch the trends and do the risk assessments."
Apple did not respond to requests for comment.
The IT team at Cisco Systems Inc., is equally concerned about information security when it comes to the company's BYOD policy, though it takes a different approach to managing risks.
Cisco created a BYOD policy in 2009 to cut costs and improve productivity. Since then the company has registered nearly 60,000 employee-owned devices, says Brett Belding, senior manager of IT mobility solutions at Cisco in Atlanta.
The company has a basic set of rules for personal devices. It requires all users to have at least a four-digit PIN, and the device to have an auto-lock setting that triggers in 10 minutes or less. Cisco also reserves the right to wipe any device remotely if it's lost or stolen.
The IT division also created a corporate app store with recommended apps, including instant messaging service Jabber and collaboration tool WebEx—both of which are Cisco products. But the company doesn't ban employees from using apps from other vendors, including public cloud services. "We made a very conscious decision to allow iCloud for personal data," Belding says.
Cisco made the choice because it wants employees to have the best possible user experience with their devices, and they don't want to create barriers or hassles. "The challenge for us was how to protect corporate data in that environment," he says.
Rather than blocking apps, the company controls corporate data on its network, using a combination of security access PINs, encryption tools and read-only features that prevent highly confidential data from being copied, downloaded or emailed.
It also use monitoring tools, including its own ScanSafe software, to scan all Web requests for malicious content, and they categorize search-engine results to prevent users from inadvertently accessing unwanted material. What's more, if a device starts behaving strangely, the IT team can quarantine it or kick it off the network.
That strange behavior is far more likely to be linked with search engines and social media apps that copy and share contact lists than with malware from a buggy game download, Gordon says. "Many of these platforms suck data without you even knowing it, and they are much harder to track than a malicious virus."
Cisco wants its employees to use social media sites for marketing and promotion, so the company doesn't ban their use. Instead, if the IT team sees a surge on a particular social platform, it alerts employees to change their settings, and it may block the devices until the problem is resolved. "It's about combining trust and communication with enforcement," Belding says.
Every company has to figure out how it wants to achieve the balance between security and usability, Suby adds. "You've got to find a way to exert control either on your own network or on the end users' devices," he says. "Anything less is too risky."