The rise in BYOD has left businesses struggling to manage the growing number of access points across their systems. A recent study conducted by Bitglass found that 57 percent of employees and 38 percent of IT professionals don’t participate in their company’s BYOD program due to privacy concerns, that corporate leadership would have too much visibility into the end user’s personal data.
Of course, that doesn’t stop employees from using their own devices, circumventing official policy. And when your employees are ignoring your BYOD strategy, it means something isn’t working and the time has come to re-evaluate your plan.
How can you tell if your employees have gone rogue with their personally owned devices and put corporate data at risk?
“There are several signs, but the most obvious is the leakage of sensitive corporate information,” said Patricia Titus, who served as CISO at multiple companies, and is currently member of Visual Privacy Advisory Council. “This means you’ve found your data either ‘in the wild’ on the Dark Web or ‘in the clear’ on the Internet.”
Another sign your policies aren’t working is if you notice an increase in malware or attacks from authorized personal devices. This may mean an employee is not holding up his end of the bargain by using security software or may not be keeping it up to date.
The re-evaluation of the BYOD program should begin with an assessment of the policies to make sure they are relevant to the company’s needs, if they are able to hold employees accountable, and if they are applicable to the technologies currently in use.
If after this assessment it is discovered that the BYOD policy has yielded few results and failed to keep sensitive data secure, there are two options: restructure the current policy or abandon the BYOD program all together.
In restructuring your BYOD program, it is vital that a “trust and verify” framework be put in place to ensure policies are effective, and that they include input from every business unit. If staff doesn’t feel a sense of ownership, they will continue to ignore the policy, according to Dominic Vogel, cybersecurity consultant and a former Information security analyst in the financial industry.
“Effective policies need to be created as a group in order to gain a sense of ownership,” he said. “Make sure HR, finance, marketing, communications, executives, are all represented and come up with a realistic (not draconian) policy that mitigates risks while still enabling the business.”
The revamped policies should then be clearly articulated to employees in non-technical terms, and understanding the terms of the policies should be contingent to being allowed to connect personal devices to the corporate network.