Are BYOD policies a threat to your business?
By Carrie Brunet Duncan, AdvocateDaily.com Contributor
Employees can be a business’s most unrecognized threat, and that risk is compounded by company policies that rely on employees to use their own devices for sensitive information and communication, says Tyler Hatch, founder and CEO of DFI Forensics Inc.
Bring your own device (BYOD) policies are becoming popular in many businesses as a cost-savings alternative to equipping employees with technology that will quickly become obsolete and need replacing, he tells AdvocateDaily.com. However, Hatch warns that while there might be cost savings up front, in the long run, employers could face unforeseen losses.
“If an employee steals information from an employer, the business may not be able to easily prove it because they may not get the necessary permission to access to the employee's device,” he says. “If the company owns the equipment, they can just hand it over to a forensic examiner like me, and I can tell them what’s on it.”
Hatch says losses can range from confidential files, proprietary information and client lists being stolen and used at competing businesses or by employees trying to earn money on the side. Unfortunately, most employers don’t consider the risks until things go wrong, he says.
“Everybody just assumes people are going to play by the rules, but that doesn’t always happen,” Hatch says.
As a forensic examiner, he’s worked on cases where thousands of critical files have been stolen by employees and used at competing firms. Combining his experience as a lawyer and his love of technology, Hatch says his work is very similar to that of a crime scene investigator.
“It’s like going into a crime scene and collecting fingerprints, hair samples and tire tracks to determine what happened. By analyzing the evidence, I can determine who did what — and when,” he says.
The arrival of cloud storage has made tracking data losses more challenging, but it’s not impossible, Hatch says.
“We can still trace it,” he says, adding that things not seen at the user level can still be revealed by an experienced examiner. “But I am always advising clients to be proactive.”
Hatch stresses the importance of having strong policies regarding data privacy and being sure that employees are well-informed about them.
External threats are another key concern for companies, and having BYOD policies can make them more vulnerable especially with mobile equipment such as laptops and cellphones, he says.
“Geographically, they have no end point,” Hatch says. “They may be connecting to the Wi-Fi at the local coffee shop that someone is hacking. There is a bigger threat to your organization because your employees are using external devices that are connected to the network.”
Viruses might be introduced into the business network via laptops or other technology used at home or by people other than the employee, Hatch points out.
“Company devices are less likely to be used on risky websites,” he says, noting that gambling and pornography websites are often plagued with viruses.
Disciplining or dismissing employees for inappropriate communications can also become challenging if the equipment is not owned by the employer, Hatch says. And while a court might compel an employee to allow examination of the device, it can be a long and costly process.
Hatch recommends against BYOD policies, but if employers still feel the benefits outweigh the risks, he suggests they seek advice from a lawyer to create guidelines and from a forensic examiner to advise them on data loss prevention and information monitoring software.
“Employees still have a right to privacy in the workplace, so it’s important to get the right professionals involved to strike a balance. It can be done, you just need a plan,” he says.