Monday, 10th December 2018

Data security meets BYOD privacy: can this marriage be saved?

By Ojas Rege, Chief Strategy Officer at MobileIron.

For CIOs, implementing an effective BYOD programme to harness the power of mobility sometimes feels like an impossible balancing act. BYOD requires simultaneously securing corporate data while protecting the privacy of personal data. What makes this difficult, of course, is that both live on the same mobile device. There’s a widely held belief that this is impossible – that security and privacy are fundamentally at odds with each other – that tightening up security means giving up on privacy.

Luckily, this is a myth. Security and privacy can, in fact, live out their lives in perfect harmony in a BYOD programme. However, like any marriage, it takes some work. And that work sits squarely on the shoulders of IT.

Failing to protect users’ privacy leads to a culture of distrust. Employees become less likely to comply with security best practices and embark on their own personal “Shadow IT” journeys, using apps and devices without IT’s authorisation. The MobileIron Security & Risk Review revealed that most companies had at least some business data on mobile devices that were not compliant with their organisation’s security policy. So failing to protect privacy is not an option.

But failing to protect corporate data gets you fired, so, clearly, that is not an option either.

Though IT understands this conundrum, understanding is not the same as solving. Let’s now discuss a win-win-win program to make BYOD successful, address employee privacy concerns, and let IT professionals keep their jobs.

Start with expectations

Marriages fail when the two parties have differing expectations of the relationship. When implementing a BYOD programme, you can manage conflicts between privacy and security by proactively making sure they are at the top of the agenda from the very beginning of the process.

It is important to understand employee concerns upfront. Most employees are comfortable with their employer controlling their work data but do not want to share any data that reflects their personal lives, such as personal emails, photos, and text messages.

It is equally important to understand what your security team views as key mobile risks.Hone in on the threats and remediation mechanisms so you can determine if any conflicts exist between security requirements and privacy expectations.

Understanding both sides will let you define appropriate policy and operational parameters to minimise risk from both the company and employee perspective.

Create trust through transparency

Marriages fail when trust is replaced by suspicion. Transparency increases employee confidence and legal compliance. A survey of 3,000 consumers showed that 30 per cent of employees would leave their job if they thought employers could access their personal information. With so much hinging on trust, it’s important to ensure that employees are clear on what companies can and can’t see on their mobile devices.

Another reason for transparency is the evolving legal landscape. Businesses should be precise in what data is monitored, collected, used and stored. If requirements are accurately identified in the beginning, businesses can be safe in the knowledge that they are only collecting what they need, using the data for its intended purpose and deleting once it’s no longer in use.

Establish a foundation

Marriages fail when the foundation is cracked. Enterprise mobility management (EMM) solutions are the technical foundation of any BYOD programme.

EMM solutions separate personal and business data on the device and allow IT to appropriately secure the business data without compromising the personal data. EMM solutions also provide the ability to selectively wipe just the business data. As a result, employees can continue to use their ever-expanding portfolio of fun, personal apps without worrying about IT seeing something it shouldn’t. More advanced EMM solutions also provide IT additional privacy controls to prevent access to personal information and provide employees with a clear visual representation of how their privacy is protected.

EMM addresses the employee’s main privacy concern: the monitoring and deletion of personal data.

Without EMM, the BYOD programme has no technical foundation and either security or privacy will likely be compromised.

Communicate, communicate, communicate

Marriages fail when communication stops. Just having an EMM solution in place for BYOD is not enough. IT must communicate directly with employees so they understand how EMM works and how their privacy is protected.

Without communication, employees will develop their own stories about what IT can and cannot see … and the employee will almost always assume the worst.

Summary

Yes, the security and privacy marriage of BYOD can be saved. It can, in fact, thrive, but IT has to be willing to invest in upfront user research, a partnership mindset, technology to support data separation, and constant communication.

This proactive approach will foster a culture of trust and set up the BYOD programme for high adoption and success. And it is always better to start a relationship on the right foot instead of trying to patch it up later.

It has been a tumultuous year for cybersecurity, with endless security breaches hitting the headline...
Understanding the risk posed by third- and fourth-party companies can help mitigate security problem...
Greig Schofield, Technical Manager at Netmetix, explores how Wi-Fi could expose your business – and...
By Ian Kilpatrick, EVP Cyber Security, Nuvias Group.
The main issues we see arise with cybersecurity strategies seem to link to efforts that arise when b...
Corporate networks have quickly become more and more complex. Change requests are regularly processe...
What makes a DDoS successful? I asked myself that question at the end of August when the central ban...
No matter the size, all organisations are at risk of being the next target of a cyber-attack. Attack...