Categories
Uncategorized

Results from the LinkedIn “Information Security” Group’s 2013 BYOD/Mobile Security Survey, Part 1: The State of BYOD

A few weeks back, Holger Schulze put out the call on his Information Security group on LinkedIn for respondents to a survey on BYOD and mobile security practices. Of the group’s approximately 160,000 members, 1,650 took the survey. He’s since tallied the results and published them online:

In this article, we’ll look at those results that describe the state of BYOD at the organizations represented by the respondents.

BYOD Adoption in Organizations: Still a Long Way to Go

byod adoption stage

60% of the organizations represented in the survey have not yet adopted BYOD, but are considering it. 24% are working on the policies and practices to implement a program, and about 10% of the people who haven’t yet adopted BYOD haven’t do so because they’re forbidding it outright.

byod readiness

It’s always a tricky thing to ask people to quantify a “gut feeling” with questions like “How would you rate your readiness for full enterprise BYOD adoption, in percent, where 100% is completely ready?” What’s the difference between 20% ready and 30% ready? Or 70% ready and 80% ready? Still, the fact that most of the organizations represented in the survey say that they’re less than 50% ready to adopt BYOD says that there’s a lot of uncertainty about their ability to set up a BYOD program.

In the meantime, here’s what the organizations are doing right now:

policy

Note that in the chart above, both “Privately-owned devices are in very limited use” and “Privately-owned devices are widely in use, but not supported by the organization” are the 3rd and 4th most popular categories, each accounting for more than 20% of the respondents. That’s a good chunk of people who are accessing corporate resources with any policies or technologies to manage them; in some cases, IT would probably be completely unaware of how widespread the practice would be. We like to call this practice SYOD — “Smuggle Your Own Device”; others like to simply put it under the larger blanket term “Shadow IT”; either way, it has the potential to cause you great trouble.

Simply put: most organizations still have a long way to go before they’re truly ready to support employees bringing their own devices for work.

Categories
Uncategorized

BYOD Roundup: The “BYOD for You” Book, Liability, and Shadow IT

A New Book: BYOD for You

byod for you cover

Most BYOD guides we’ve seen cover BYOD from management’s or the IT department’s point of view; BYOD for You is the first we’ve seen that covers it from the rank-and-file employee’s angle. Written by Daniel Lohrmann, who blogs at Government Technology and has a site at BYOD4U.com, this Kindle ebook is a quick read that helps you determine an organizations BYOD maturity level, secure your BYOD mobile device and maximize its benefits, and how to cope with the way personal mobile devices are handled where you work.

BYOD for You is an easy lunchtime read; it’s divided into eight chapters, most of them about a half-dozen pages long, which cover these topics:

  1. Categorizing your BYOD enivronment: Gold, Silver or Bronze?
  2. Your workplace’s BYOD program, or the lack thereof
  3. Security: How to safely use your mobile device at work and home
  4. MDM
  5. Privacy and other legal considerations
  6. Maximizing the financial benefits of BYOD
  7. Ethical dilemmas and proving you deserve your mobile device
  8. Building a personalized BYOD plan that outlives your device

Each of the chapters end with a section that provides suggestions on how to handle its topic depending on the BYOD maturity level of your organization. Lohrmann’s model for BYOD maturity has three levels, which are explained below:

  • Bronze: An organization operating at the Bronze BYOD level has employees who bring their own devices to work, but doesn’t have an official BYOD policy. It’s unclear about what happens when company information security policies and personal devices collide, if employees’ personal data will remain private, or if their work-related activities on personal devices will get them in trouble. Employees also bear all costs of using the device, even for work-related purposes. MDM is practically or completely non-existent.
  • Silver: In organizations operating at the Silver BYOD level, there is a basic BYOD policy that spells out how its data can be accessed, as well as issues of security and privacy, and there is tacit permission for employees to access their work email from their devices. Employees can choose between all-expenses-paid COPE devices or BYOD devices without any reimbursement for operating costs. MDM is limited; it’s often something basic, like what’s provided by Microsoft Exchange ActiveSync.
  • Gold: At the Gold level of BYOD, there’s a full BYOD policy, and employees are fully reimbursed for all device costs. All devices are under full MDM.

Even though it’s written for end users at a workplace, it’s a useful guide for managers who are new to the idea of BYOD and want to get a grasp of the major issues that can arise when employees bring their own devices to work. I expect that we’ll be using this in our consulting work and recommending it to our customers.

There’s a special deal if you buy it today (Wednesday, April 17, 2013): it’s selling at a dollar off — a mere CAD$3.03 at Amazon.ca, and USD$2.99 at Amazon.com.

BYOL: Bring Your Own Liabilities

justice

Mobile technologies bring new capabilities, but new complications as well. The CIO article BYOL: Bring Your Own Liabilities points out that the dual nature of BYOD devices — owned by the employee, but used part of the time on behalf of the company (and possibly subsidized) — present some new potential legal issues, whether or not your organization has a formal BYOD program. The article lists a number of ways you can reduce the risk of legal exposure in your BYOD program; the article goes into more detail, and we’ve summarized the main points below:

  • Policy: The article says that a policy defining your organization’s BYOD program is most important element of any BYOD strategy, and we’re inclined to agree. Such a policy should clearly define how your BYOD program will operate, specify the risks and responsibilities of the organization, employees and third parties, and define acceptable technologies and acceptable use. Most of it shouldn’t have to address legal issues, but having such a policy will help reduce your legal exposure. (By the bye, we’re pretty good about crafting mobile device policies, and we even have a guidebook to help you build your own.)
  • Liability issues: Figure out whether your organization or your employees are liable in certain cases, such as: Who’s responsible for misplaced or stolen devices? Who’s responsible in the event of a malware attack? Who pays for support?
  • Licensing: Are the apps on mobile devices — both company- and employee-owned — properly licensed?
  • Insurance: Will your organization’s insurance policy cover devices that it doesn’t directly own or lease?
  • Data security: As the article says: “Two topics generally colour the legal framework in the context of data security; these are confidential information and litigation obligations, both of which are concerns for any mobility based system.”
  • Confidentiality: We take our mobile devices (especially our smartphones) everywhere, and sooner or later, they’ll get lost or stolen. You need to consider the implications of missing mobile devices, from the loss of your organization’s sensitive information, to inadvertent breaches of confidentiality agreements with other parties, to remote wipes, to the consequences of remotely wiping an employee’s personal data. Along with the issues that come with confidential or sensitive data on the device, there’s also the issue of such data off the device, stored with third-party cloud services like Dropbox.
  • Discovery obligations: Data stored on mobile devices used for work may be subject to electronic discovery, the pre-trial phase in litigation where each party can get evidence from the opposing party. You may need to take measures to keep work and personal data separate, keeping in mind that your organization can’t object to producing some information in the discovery process simply because it has some personal employee information mixed in.
  • Privacy: One reason to try to keep work and personal data separate is to preserve employee privacy, especially when backing up information. Ideally, you want to back up only the work-related information and store no personal employee information (such as their address book or photos) on your organization’s backup system.
  • Surveillance and tracking: The ability to remotely track a device is a useful thing to have when it’s lost or misplaced, but it can be a cause for concern about its use for tracking employees. The article recommends the use of a data surveillance policy that clearly spells out how devices will be tracked, and if your organization will record information stored or transmitted by the device.

BYOD and Shadow IT

the shadow strikes

From an earlier article:

Shadow IT sounds like some kind of future slang that [William] Gibson would’ve coined, but it’s an office term referring to the set of applications and systems that are used in organizations without that organization’s approval, and especially without the approval of the IT department. It’s usually the result of one or a handful of employees discovering an application, service or system that solves a problem in a way that seems more effective, expedient, and more free of red tape than if it were solved by IT. Shadow IT usually starts off as an ad hoc solution, but if it becomes popular within an organization, its use can become standard practice, even without the approval or oversight of the IT department.

When people talk about shadow IT, they usually talk about the security issues. Mike Foremen in Huffington Post UK writes about another equally important issue: the creation of data silos, where information vital to the business lives in places where it can’t be found.