What can organizations do to address BYOD privacy concerns?
BYOD conveniently puts work and personal data on one device, but this creates privacy concerns. Organizations should take steps to ensure both employee privacy and device security.
A BYOD model frees employees from carrying multiple devices, but storing both personal and work data on one device gives way to privacy concerns.
The BYOD model allows employees to use their personal devices to access corporate resources while also allowing the organization to manage components of the device and ensure compliance with security standards and practices.
To successfully deploy a BYOD model, however, organizations must rethink their security strategy. End users may have concerns about how much control and visibility IT has over their devices, which requires IT to carefully consider what types of policies and security controls should be on employee devices, balancing risk and privacy.
Another issue that BYOD presents for end users is how it can blur the lines between work life and personal life. Some employees prefer to use their personal devices for work, but having access to email and other corporate resources in and out of business hours can negatively impact employee work-life balance, resulting in added stress and privacy concerns if employees feel an expectation to work outside of business hours.
The challenges with privacy and BYOD
Some concerns from both employees and employers about data privacy with BYOD include the following:
- company data security vs. employee device and information privacy;
- employee access to work data vs. work-life balance;
- forcing security compliance measures such as OS updates vs. device freedom; and
- employer cost savings vs. employee compensation for using personal mobile data plans to access corporate resources.
Security and privacy concerns factor into every decision that an organization makes, especially when taking the unique risks that come with BYOD into account. For example, allowing email on a personal device is a seemingly simple decision. However, it can be difficult to enable proper security controls such as data loss prevention (DLP) and restrictions on data sharing between corporate and personal apps. While organizations must take steps to secure corporate data, employees are often concerned about how much personal data their company can see and control on their devices.
IT administrators will often leverage management platforms such as mobile device management (MDM) to manage employee devices and distribute company resources such as email and applications. While these technologies are useful, they can add to end-user privacy concerns about how much visibility IT has into employee devices.
So, what can employers access, and not access, on an employee's device with MDM? An IT administrator can utilize several MDM functions to ensure device and data security. There is a difference in what IT can do and will do, however. Although tools such as MDM enable essential security functions to secure device compliance, not all organizations will make the most of all these features. Additionally, with new programs from both Apple and Google, some of these functions are disabled on employee-owned BYOD devices:
- lock devices remotely;
- remotely wipe and remove any corporate applications and data;
- view applications installed;
- view phone number;
- view device identifiers, including serial and International Mobile Equipment Identity (IMEI); and
- restrict access to certain features of the device and services, including DLP controls.
Performing a full hard reset is another function, but this feature depends on how a device is enrolled, leveraging Apple enrollment programs such as User Enrollment and Google's Android Enterprise Work Profile. With MDM, IT teams can also monitor GPS and location information -- if the MDM embeds this directly, or via third-party applications. This still requires end-user interaction and acceptance of application permissions, however.
Apple and Google both list what an MDM can and cannot see and do on an Apple device and on an Android device, respectively. To see information such as browser history, additional third-party tools are necessary.
Actions organizations can take
Organizations can take a few measures to ensure that BYOD smartphones are secure and that employees maintain the control and privacy they need on their personal devices. There are two major steps that organizations can take: enforcing a BYOD policy and deploying an MDM platform. These two steps also work together, as IT can use MDM to enforce certain aspects of a BYOD policy such as remote wipes and OS updates.
Build a BYOD policy
The first thing that any organization should do after deciding to allow the corporate use of employee-owned devices is create a BYOD policy. This should include guidelines for mobile security, privacy and other aspects of device management. Next, IT teams should build appropriate procedures and documentation for device enrollment. This is tied to users' ability to access corporate resources, support and troubleshooting paths.
Policy considerations can include the following:
- device requirements
- minimum OS-level requirements
- company stipend
- lost, stolen or damaged devices
- privacy and corporate visibility
Remember that BYOD does not mean Bring Your Own Everything
While BYOD smartphones make sense for many organizations, this doesn't mean they should 'bring-your-own' with all other devices, accounts or services. If a device is too old or the manufacturer doesn't support it anymore, it may be vulnerable due to its lack of security updates. When creating a BYOD policy, organizations should specify what OS version they allow, at minimum. To take it a step further, a recommended device list for employees is useful. Apple can be easier in some ways because they have an excellent track record for supporting their devices for a long time after their release. Google offers an Android Enterprise Recommended Directory, which IT administrators can leverage for preferred devices. The directory lists Android devices that have gone through specific certification with Google to support at least one year of OS updates and three years of security patches.
Many organizations use MDM to ensure that devices comply with corporate policies and security standards. MDM can enable security features such as remotely wiping data if a device is lost or stolen, so it is often essential for organizations that have legal requirements such as HIPAA. The process of choosing an MDM platform requires organizations to consider many factors, as there are a wide array of MDM platforms available.
Once IT selects an MDM offering, IT must deliberate on the types of policies and controls it distributes to personal devices, keeping user privacy and control in mind. Fortunately, most MDMs help IT administrators define appropriate policies for corporate-owned vs. BYOD devices, depending on how IT enrolls a device. Still, components such as always-on VPN, hard reset and others may be more privacy-averse, so IT will have to carefully think them through.