He notes that if you determine the BYO risks are too high for your organization today, you should at least make sure to stay abreast of developments. If you decide the risks are acceptable, make sure you establish a well-structured BYOx program.
"Keep in mind that if implemented poorly, a personal device strategy in the workplace could face accidental disclosures due to loss of boundary between work and personal data and more business information being held and accessed in an unprotected manner on consumer devices," he adds.
And realistically, Durbin says, expect that your users will find a way to use their own devices for work even if you have a policy against BYOx.
"It's a bit like trying to hold back the tide," he says. "You may stop it from coming onto one little bit of sand, but it will find a way around it. The power of the user is just too great."
5. Engagement With Your People
And that brings us full circle to every organization's greatest asset and most vulnerable target: people.
Over the past few decades, organizations have spent millions, if not billions, of dollars on information security awareness activities. The rationale behind this approach, Durbin says, was to take their biggest asset -- people -- and change their behavior, thus reducing risk by providing them with knowledge of their responsibilities and what they need to do.
But this has been -- and will continue to be -- a losing proposition, Durbin says. Instead, organizations need to make positive security behaviors part of the business process, transforming employees from risks into the first line of defense in the organization's security posture.
"As we move into 2015, organizations need to shift from promoting awareness of the problem to creating solutions and embedding information security behaviors that a?ect risk positively," Durbin says. "The risks are real because people remain a 'wild card.' Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure 'the human element' of information security. In essence, people should be an organization's strongest control."
"Instead of simply making people aware of their information security responsibilities and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in 'stop and think' behavior becoming a habit and part of an organization's information security culture," Durbin adds. "While many organizations have compliance activities which fall under the general heading of 'security awareness,' the real commercial driver should be risk, and how new behaviors can reduce that risk."
Sign up for CIO Asia eNewsletters.