The consumerization of information technology is having aprofound impact on organizations, and many are concerned about the riskthat consumer IT poses to the confidentiality, integrity and availability of enterpriseresources.
The consumerization of IT is commonlymanifested through the “Bring Your Own Device” (BYOD) phenomenon — whenemployees use their own personal devices (laptops, smartphones, tablets, etc.)to transmit or store corporate information. BYOD risks are not going unnoticed,however, and typically rate as one of the top concerns for CSOs and CIOs.
Some have described BYOD as an unstoppable wave overtakingorganizations, and the trend is only escalating. In general, there are threetypes of companies: ones that openly embrace BYOD, ones that formallyprohibit BYOD and ones that ignore the topic completely.
But all three of these types of organizations have one thing in common: Regardless of their policy, their employeesuse personal devices to transmit, process or store corporate data.
There are two principal risks to the enterprise that arefrequently discussed regarding BYOD: risk to the confidentiality of informationassets and risk to the availability of resources.
Enterprises are concerned with the confidentiality of corporateinformation resources when employee-owned IT is used. How do they ensure thatappropriate information security controls protecting the confidentiality ofcorporate data are in place?
In addition, enterprises are concerned about the risk ofemployee-owned devices impacting availability of enterprise IT resources. Howdoes a business ensure that appropriate information security controls preventthe introduction of malware to existing corporate resources?
The risks to confidentiality and availability are fairly well-knownand understood, yet there is an additional type of risk posed by BYOD that has corporatecounsel and privacy officers concerned: How does an organization respect theprivacy of employees when corporate-owned information is co-mingled withemployee-owned personal information on an employee-owned device? This is asomewhat new topic that has many CIOs and CSOs scrambling to develop ITpolicies that do not conflict with their corporate privacy policies.
Cheryl Orr, partner and co-chair of National Labor & Employment Group at Drinker Biddle & Reath LLP, wrote an excellent overview of this concern, which can be found here.
So, is all of this a new problem?
Essentially, the risks organizations face remain the same as they have since theintroduction of networked computer systems. The ability to move informationquickly and easily among machines increases the difficulty of knowing whereinformation resides, while enterprises must be conscientious about ensuringthat private information isn't disclosed to unauthorized parties.
Today's technologies of cloud computing, webapplications, ubiquitous internet access, social networking, vast inexpensiveportable storage and broadband wireless have only added tothe difficulties of securing corporate data.
Organizationslooking for solutions to BYOD challenges should answer these questions:
Do you know the data your organization has, its value and where it resides?
Enterprises should implementstrong information management processes. Information assets must be identified,owners and custodians assigned, and information classified.
Do you have an accurate inventory of all IT devices – company- and user-owned?
An inventory of ITdevices, as well as an asset management system allowing for the management ofthe devices, will enable organizations to maintain an up-to-date inventory despitethe rapidly changing and dynamic environment.
Are there processes in place to detect the presence of unauthorized devices connected to your networks?
Organizationsshould ensure that they are able to identify unknown devices connecting totheir enterprise networks. An ideal system to report and identify connected devicesusing enterprise resources is the network itself since it is the primary pointof device connection.
How does the use of cloud services impact the use of BYOD?
Enterprises need to understand how the use of cloud serviceswill impact their ability to ensure confidentiality of corporate informationstored in the cloud. Does the cloud service provide the organization with controlsneeded to implement access controls and restrict the downloading of theinformation?
**
BYOD is a growing reality, as employees are connecting agreater number of devices to enterprise networks on a daily basis, and CIOs andCSOs must prepare accordingly.
Though the prospect appears daunting at first,enterprises can take proactive steps to mitigate some of the associated risks.A strong information management process, a system to track and organize ITsystem inventory, unknown device detection and a strong understanding of theenterprise's use of cloud services will help companies protect and secure theircritical corporate data as BYOD proliferation continues in 2013 and beyond.