BYOD security depends on data risks, employee behaviors

The best way to implement a secure bring-your-own-device program is to focus on data risks and employee behaviors, not on the technology. That, at least, is the consensus of a panel of IT and legal experts at the recent London SC Congress 2014.

Asked how organizations should best go about ensuring security with a BYOD program, panelists said that focusing on technology solutions is one of the worst and most common mistakes that companies make, according to an article at Computer Weekly.

"Any enterprise cannot apply appropriate controls before it understands how employees are using mobile technology and it does a risk assessment to ascertain if there are any privacy issues," Rick Doten, chief information security officer at the enterprise mobility firm DMI was quoted as saying.

Another common mistake organizations make is to not properly define what they are trying--or needing--to defend.

"The biggest danger of BYOD is not understanding the risks," Paul Swarbrick, global chief information security officer at legal firm Norton Rose Fulbright was quoted as saying. "Security should be about the technology; it should be about the data and protecting that data wherever it is used, and about educating employees to access data securely."

Panelists agreed that:

  • Technology solutions should be determined by business needs

  • Data protection on mobile devices should match that on the enterprise

  • Levels of protection required should be identified before applying controls

  • Behavior and device should be established first, and communicated to employees 

  • Employee devices should not be subject to tracking without that being explained up front

For more:
- read the Computer Weekly article

Related Articles:
Infographic: BYOD, cloud opens firms up to data breaches
Navigating the legal risks of BYOD 
Spotlight: 88% of healthcare organizations permit BYOD