You also have a change in attitude and practices, such as many people are involved in social media. We're seeing the bright line between home and work disappearing. Employees are becoming a little bit lax about the type of sensitive information they bring home to work on, maybe a list of credit card numbers of customers or source code that a company relies upon to really distinguish itself in the market.
Once they bring it home, the [information] could be subject to sharing across different devices and repositories. Have they showed it to a friend or family member?
Sound and comprehensive policies and procedures are certainly needed in the modern BYOD environment, but they're often not good enough by themselves. Most policies need to be updated to take into account the various places that employees will be using their devices, such as home use, the avenues through which data can travel, and the different types of communication that are occurring, such as Facebook, Twitter and text messages. They also need to come with good training and practices behind them.
Recently, the head of my lab and I put together a top ten list of security assessments based on the breaches we've seen. One of them is the lack of any consequences for poor security at the individual level. We think it's a good policy to make sure that security is not just part of an overall HR policy but, especially for some people, it's part of their annual performance evaluation.
A bad leaver is going to wreak havoc anyway. Isn't this more of an HR issue than an IT one?
Good policies come from the top down and through the HR department. There should be consequences for both good and bad behavior. That is the human side of it.
But it's not just about the humans. You also have to have a lot of network controls in place. I don't think HR can pass it off on IT, or IT can pass it off on HR. In fact, the number one issue we see in our security assessments is the lack of appreciation for security at the top levels of a corporation.
Does a BYOD policy open the door to hidden legal costs?
Yes. In bad leaver cases, the hidden legal costs come from the additional collection and review that must occur whenever you have a number of mobile devices involved in a case.
You're going to have more data, more types of data, more devices, more repositories. Instead of grabbing a forensic image of a laptop or desktop, now you need to have four or five different forensic images to grab. In the messiest situation, you'll have a lot of co-mingled data typically occurring on a home computer and in a home email or cloud-based account.
Sign up for CIO Asia eNewsletters.