I recently recorded a webinar with Bryant Bell of Guidance Software whose subject was BYOD (Bring Your own Device) and the impact on eDiscovery. That webinar is now available on demand and you can find it here.
Bryant Bell began with some statistics about the increase in the number of devices being used within organisations and, of those, the number which belong to the employees of the company.
I then turned to BYOD. That D, I said, could refer to other things – device, data, doubling your day, domestic difficulties when you keep working in bed, discovery danger as the sources multiply, that damn phone’s ringing again. That was an introduction to my suggestion that most of the problems arising from BYOD are problems even before you get into the question who owns the device and data.
Gartner estimates that there will be 9 million tablets in use by 2016. It also reckons that, by 2017, employees will be requiring users to bring their own devices, saving cost thereby. We are already seeing employees declining to work for an employer which does not allow them to bring the devices they are used to working with.
Use of such devices is liberating for the employees, but a nightmare for those responsible for security. They thought they had just nailed down the types of devices on the company network, and suddenly data-types and sources were proliferating. They bring risks such as games surreptitiously taking contact data – whose contacts data?
Twitter, Facebook and the rest are all doorways both in and out the enterprise, bringing risks both that your data might be stolen and that evil-doers might intrude into your network. They steal not just contact data but valuable IP, designs and real secrets of the company. This no longer just script-kiddies but nations using security as an arm of international strategy. Just at the point when IT most needs control, various pressures are encouraging proliferation of devices.
The short, and trite-sounding, answer is that companies must establish policies – security policies for devices brought into the organisation, and service policies governing how they can be used, all backed by the statements as to what is allowed and what is banned. Particular problems arise with BYOD as opposed to company-owned devices because of the mixture of company and private data (though that can arise whoever owns the device). There is no ducking this and it must be addressed in a set of rules.
The privacy implications are but one of the factors which arise when discovery must be given from such devices. It would be easy to overlook them completely. How does one physically gain access to a device of an employee who may have left the company or who simply declines to hand it over? The purpose of the policies is to contain these risks and, where possible, to reduce them to a level where they are acceptable, at least relative to the purported benefits of allowing employees to bring their own devices to work.
We enjoyed recording this webinar and I hope you want to listen to it. Registration is here.