When BYOD Goes Bad

October 14, 2014

BYOD is either a ticking time bomb or IT’s greatest opportunity. Whether you belong to the 40 percent of organizations that have policies or not, I guarantee people are using their own mobile devices at your office.

Many organizations don’t think they need a “Bring Your Own Device” (BYOD) policy or solution because they issue corporate devices. This is a huge mistake. If apps and tools are banned on corporate devices, employees will just use them on a personal device.

But behind all the hype and gloom, what can actually happen if employees use personal device in the workplace, without any oversight? To spell it out for you (or your fellow executives), let’s meet Jane Davis, a hypothetical VP of Marketing at Vonerruble Corporation (get it?). She will illustrate what can happen when BYOD goes unmanaged. Then, we can talk about how to avoid this scenario.

Jane Wants to Work At Home

Jane is preparing for Vonerruble’s largest product launch ever, and the 14-hour days at the office are taking a toll on her family. She has embarked on an ambitious project to integrate and analyze customer data from multiple sources.

To cut back the office hours and spend more time with family, Jane decides to start doing data analysis at home. She downloads customer data into spreadsheets, emails them to her Gmail account and downloads them to her Android tablet at home. The spreadsheets contain names, usernames, email addresses, phone numbers, physical addresses, purchasing histories and other data. Jane has all this customer data on her tablet, but IT is unaware. She needs help with this project, so she divides the customer data by brand and asks four team members to each take one.

Sharing Data and Reports is a Pain

Emailing reports, spreadsheets, charts, graphs and PowerPoint presentations is becoming a pain for Jane and her team. They want a way to quickly share files from their home computers, tablets and phones, but asking Vonerruble’s IT team for a solution is pointless because they will take too long and probably reprimand the team for taking data home. The product launch is four weeks away.

Jane hears about Box.com from her marketing pal at Kolabretev Corp and decides to purchase a business plan for her team. She enters credit card info and gets usernames for all 20 people in marketing. They load all the spreadsheets and reports into Box and all download the Box mobile app.

Oops…

The marketing team nails the product launch. Their data analysis leads to the most successful marketing campaign in company history. Jane organizes a party at 4Get, a rowdy nightclub. The next morning, Jane wakes up foggy and realizes that she left her purse at the bar. She always keeps her Android tablet in her purse. Because Jane never set security policies for Box, anyone can access the app. They don’t need to re-enter a username or password.

Potentially, someone has full access to Vonerruble customer data. Maybe the person just plans to wipe and sell the tablet – or maybe the person knew to look for sensitive data. Jane just changes her Box password and moves on without considering the potential ramifications.

Face BYOD

Jane’s story is one possibility in an endless set of BYOD failures that involves downloading sensitive data, using rogue applications, losing devices and using them without regard to IT security policies (e.g. passwords). Rather than pretend that BYOD isn’t happening, IT and security have a responsibility to engage employees and support BYOD. “Engage” means actually talking to end users, or as they should be called, internal customers, and determining what they need from mobile devices.

How do people like Jane currently use mobile devices? What would they like to be able to do? What devices do they want to use? Your customers need mobile devices for legitimate business applications, and restricting their activity doesn’t work. Like Jane, many people feel that IT has been too slow and conservative. That’s why IT and its partners have to initiate these conversations rather than wait for employees to ask for help.

Protect corporate data like it’s 2014, not 1984. The goal is not to control employee’s devices – the goal is to support employees’ needs while protecting corporate data. Find a BYOD solution balances privacy and security needs of your organization. Your customers are going to do BYOD with or without you. Don’t wait for Jane to jeopardize sensitive data. Take the lead.

Sarah Lahav, CEO of SysAid

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

Join our subject matter experts as they explore how the right systems can help identify, analyze and report potential incidents and help building owners sustain compliance and create safer spaces.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

When BYOD Goes Bad

Related Articles

Report Abusive Comment