Online Exclusive

Protecting Company Data on Employee Owned Devices

With smart phones and tablets an increasingly common possession by most Americans, many transit agencies and companies are finding their employees using them to connect to company devices and access data.

Because the devices are owned by the employees, it creates a potential security nightmare on protecting private data and keeping hackers out. However, security experts who spoke during a recent Security Industry Association webinar say by making tactful decisions, companies can find ways to protect data when employees use their own devices, which is known as a BYOD.

“Speaking personally, BYOD is going to be the future of all out businesses,” said Charles Wheeler, senior director of network operations for Brivo.

Wheeler said a recent survey showed 90 percent of responding employees indicated they already use BYOD devices. About 50 percent of companies who responded said they monitor or control the devices through policy.

Complicating the issues with BYOD policy is the fact the employee owns it while accessing company data, so legal issues can complicate policies about usage. Often times the devices are used in coffee shops with unsecured Internet connections.

Wheeler said the employees also run the risk of leaving the device in a cab, plane or table of a bar, then someone else can pick it up and easily access data.

Some companies might be tempted to not allow BYOD devices to access company information, but Wheeler said the convenience and applications they offer make that a nearly impossible action.

“The application’s the BYOD presents makes it impossible to stop and as much as I’d like to lock the network down, I don’t have that option,” he said.

Andrew Jaquith, chief technology officer for Silver Sky, said when developing policies regarding BYOD usage, it’s important to mind local laws to make parameters to know what limits you have related to controlling the information.

It’s also important to look into software options into what can do full or partial wipes of information of the employee’s personal device in the event of a security breach and policy must dictate the employee can wipe information if needed. Employers must also treat the agreement like a compact and remember its trading some control in exchange for some employee flexibility.

“I mean compact like a Mayflower compact where it was a mutual agreement amongst people on that vessel that they were going to live their lives a certain way,” Jaquith said.

Wheeler said some companies also partially compensate their employees for using BYOD devices in order to handle some legal issues because the company doesn't own the phone and there can be an argument about whether or not it owns the data on the phone.

Wheeler said it’s also important for security officials to remember this isn’t the first time such issues have been presented. With viral Internet and network connections by PC’s in the 1990’s a lot of the policies developed then can work with new technology.

“Embrace the idea of an office beyond the walls,” he said. “Embrace it extends the perimeter by putting a bubble around the employee.”