Lost and found
Greenwood is hardly the only witness to the problems that can arise as a result of BYOD. Endre Walls, CTO of nonprofit Resources for Human Development (RHD), says employees who lost their personal smartphones, which they had secretly synched with their corporate accounts, posed a major data loss risk.
"Lost devices were a security issue for us, because if the user has our email prior to the implementation of our MDM and our policy, we were out in the wind," Walls says. "That was always a huge issue for us. A lot of times, the user needed to be able to put two and two together to know, 'OK, I lost the device, and this is a potential problem for the organization.'"
But few employees who had lost their personal smartphones ever thought to inform the IT department about it, even if that device had been synched with corporate apps. And the chances that these employees had taken it upon themselves to implement authentication on their personal devices were slim, "because there was no policy there [that] was anything saying 'you have to have a PIN on your phone,'" Walls says.
"Before the software and related policies were put in place, you could be talking about days before we even know anything happened," Walls says.
RHD now has the ability to wipe its corporate data and apps from an employee's personal device, and even offers a complete data wipe if an employee requests it. Just as importantly, the IT department makes all employees aware that any device that has been synched with corporate apps - no matter who it belongs to - needs to be secured if it's been lost.
However, employees don't even need to lose their device to accidentally leak sensitive corporate data. Ojas Rege, vice president of strategy at MDM vendor MobileIron, says many consumer devices are optimized for opening, viewing and saving documents in the cloud. This poses a risk that consumers may never consider.
"The No. 1 source of data loss on the iPad was email attachments," Rege says. "So, traditionally, when you're using email [in iOS] and you click on an email and there's an attachment and you click on that, it gives you this menu to open [the document] in all of the readers that you have on the device. So if you click on Dropbox, your corporate data is gone. Every email attachment is one click from the cloud on that device."
Naturally, these problems are enough to send any IT administrator rushing to deploy any mobile device management, network access control or mobile data protection software on the market. But deploying the software involves building a strategy, and that can be risky as well.
Sign up for CIO Asia eNewsletters.