As more employees bring personal smartphones and other devices to work, here are three BYOD security horror stories that other companies can learn from.
Many observers say IT departments have little choice — they can either embrace BYOD and create policies that govern the use of personal devices, or if they don’t, they can watch as users bring in their personal devices unregulated.
The bottom line is that users today care little for what IT thinks regarding BYOD. In fact, 55% of workers under age 30 believe that using a personal device is a right, rather than a privilege, and 36% said they would try to get around an IT policy that forbade them from using a personal device at work.
Therefore, many IT departments are developing a BYOD policy to help them control what they can and minimize the risks. In fact, most companies (77%) allow employees to use personal smartphones, tablets or other devices, according to a recent survey from Decisive Analytics. And the majority rely on an acceptable use policy to regulate those devices.
But even an officially sanctioned bring-your-own-device program comes with plenty of risks, as organizations are finding out. Among the 825 IT managers surveyed, nearly 50% of those that allow BYOD have experienced related security incidents.
In addition to those survey results, anecdotal evidence shows the serious dangers that can be introduced if BYOD security isn’t properly managed. Here are three BYOD security horror stories organizations experienced last year — and what IT departments elsewhere can learn from them:
Stolen device creates $1.5 million fine
One of the biggest BYOD security fears is that a personal device used for work will be lost or stolen, potentially exposing sensitive information to whoever ends up in possession of the gadget. The fear is well-founded — a lost or stolen device can have serious consequences, as shown by a recent settlement involving a Massachusetts healthcare provider.
Last September, Massachusetts Eye and Ear Associates, Inc., agreed to pay $1.5 million to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The charges stemmed from an incident in which a doctor’s personal laptop was stolen. Apparently, before the theft, the unencrypted machine was brought into the office and loaded with sensitive information about patients.
The lesson: Companies should require all devices used for work to use encryption, password-protection, remote wipe, and other security features.
Old firewall allowed constant attacks
In addition to making sure the devices are protected, IT also must sometimes make upgrades in-house to keep networks secure after BYOD programs are started. That was the advice given by Mississippi Department of Corrections (MDOC) network systems manager Jerry Horton when he recounted his organization’s BYOD security experiences in Baseline.
After allowing employees to bring their own devices, the organization thought it was protected by the firewall it already had in place. However, it soon became clear that the firewall was no longer able to monitor traffic at all ports. At one point, Horton says, MDOC was being hit by attacks three or four times a week.
The lesson: Before allowing employees to use personal devices full-scale, companies should test their systems and make upgrades accordingly. In Horton’s case, MDOC decided to add two next-generation firewalls after the initial BYOD security problems were encountered.
BYOD security policy threatens personal data
Sometimes, IT’s efforts to protect information security can cause other problems. That’s what happened recently when Mimecast CEO Peter Bauer lost a whole gallery of family photos and other personal information thanks to a BYOD policy he helped create.
The incident occurred while Bauer was on vacation with his family and his daughter tried to open his smartphone. She tried to guess the phone’s PIN, and after five attempts, the phone was automatically wiped, in accordance with the company’s policy, according to Network World.
The lesson: IT departments should make sure they balance security with as much protection for users’ privacy and personal data as possible. Whatever controls and policies are in place, it’s important users are informed and sign off on a form acknowledging they understand what the company might do with their personal device.
The fear of losing personal data can also be used to IT’s advantage when training users on BYOD security. Offering tips about protecting personal information may get people to care more about taking the proper precautions, which in turn will help protect the corporate data on their devices.