Get the latest tech news How to check Is Temu legit? How to delete trackers
TECH
Symantec

Bring Your Own Dilemmas: Dealing with BYOD and security

Elizabeth Weise
USATODAY
Digital devices

SAN FRANCISCO — Once upon a time, your computer was a box under your desk, your phone was connected by a wire to the wall, and everyone went home at 5 p.m. and left work behind them.

"It's almost quaint to think of now," said Michael Malloy, a vice president at Webroot, a Colorado-based Internet security company.

Today, "work is no longer a place that I go to, it's something that I do. That's become the norm for a lot of companies," said Cheryl Tang, a senior manager for enterprise mobility at Symantec in Mountain View, Calif.

The conundrum for companies is how to let employees use the technology they already own and love for work, while also keeping vital corporate data and systems secure.

It's called BYOD (Bring Your Own Device), and it is "a massive phenomenon in business," said David Willis, chief of mobility research with research firm Gartner.

A Webroot survey published in July found that 61% of companies had employees using personal smartphones or tablets for work-related activities.

Half of companies surveyed told Gartner that they planned to move exclusively to BYOD for smartphones in 2017.

That creates a tension between what workers want and what companies need.

To an employee, a phone is life, a place to work and play.

To the security team at the employee's company, it's a gaping maw of danger.

"The humblest tablet or smartphone contains the credentials or log-in information for the corporate network. From there, cybercriminals can work their way into the network. It can begin in the simplest thing and can end up with costing employers millions," Malloy said.

The challenge companies face is how to enable security "in a way that doesn't freak employees out" but still gives information technology departments enough control, said Tang.

It's a real concern. Up to 51% of employees said they would go around any policy that restricted their use of their own devices or use of cloud storage, a Fortinet survey found last year.

For companies, worries include apps or links that make the phone or tablet vulnerable to hackers, data leakage and the employee simply losing the device, along with everything on it.

Employees fear that their companies can access their personal data or that their phones will be used to track them, a Gartner survey found.

Unfortunately, companies are lagging in both protecting themselves and educating employees.

Webroot found that one-third of employees who used their own devices for work didn't have any security installed on it. Of those who did, one-third only used the four-digit password that came with it.

"Which is pretty scary considering the data they're toting around with them now — e-mail, the log-in for the corporate network, proprietary data," said Malloy.

Only 42% of companies required employees to have a security app installed, and only 19% required mandated security supplied by the company, Webroot found.

Setting up systems and being clear about what's required is key, experts say.

For example, employees are going to share data, so you have to be prepared, said Willis. "If the business doesn't have a secure way to view and share data that the employees can use, they'll just break out of jail and use iCloud or Dropbox."

Lost phones are also a problem. Having the ability to remotely wipe sensitive information is critical.

Several stand-alone programs deal with enterprise mobile device management. They include AirWatch, Citrix, Good Technology, MaaS360/Fiberlink,MobileIron and SOTI. In addition, several larger vendors offer suites that include such management, among them, Microsoft's Intune, SAP's Afaria and Symantec's Mobile Management Suite.

Some companies are creating their own app stores for employees on an internal website. These mimic consumer online sites such as Apple's App Store or Google Play, but include only apps the company has vetted or designed to work appropriately with its computer system.

"It offers a self-service option so employees can just go and pick out what they need, safely" said Christian Kane, an enterprise mobility analyst with Forrester.

A new wrinkle in the BYOD world is an Aug. 12 California appeals court ruling that employers must reimburse employees for work-related phone calls made on the employee's personal cellphone.

The case involved a class action on behalf of 1,500 customer service managers who worked for Schwan's Home Service, a direct-to-home frozen food delivery provider. The managers were required to use their personal cellphones to make calls but weren't reimbursed.

While this ruling doesn't signal the death knell of BYOD as some suggested, it does mean that moving forward, companies will probably have to contribute, said Willis. That also might give them more rights in employees' eyes to oversee security

Overall, there's no easy solution for companies, because a clear standard hasn't yet evolved.

But that doesn't make dealing with the questions around BYOD something that can be put off, says Gartner's Willis. "Mobile device management in the corporate world is going to be as common as antivirus was for PCs. At a certain point, you won't pass an audit if you don't have these protections in place."

Featured Weekly Ad