Security and legal ramifications of BYOD
By Fred Donovan (Part of an FMIT special report Making BYOD work)
Security threats posed by BYOD keep many CIOs and IT managers up at night. The threats range from loss of sensitive data to the introduction of malware into the networks. The loss of data, particularly in regulated industries such as healthcare, can result in significant legal costs in terms of breach notification, credit monitoring services and lawsuits.
Numerous surveys have shown that security issues top the list of BYOD concerns for IT professionals. According to a survey of 1,600 members of LinkedIn's Information Security Group, three-quarters of respondents said loss of company or client data was their top security worry, followed by unauthorized access to company data and systems and fear of malware infection.
Reflecting on the survey results, Ken Hess of ZDNet observes: "Clearly, security is a huge concern for companies. However, those fears have less to do with BYOD and more to do with mobile devices in general. Malware actually should be a bigger concern than it is. I don't think the majority of respondents understand the true size of the malware threat."
Is Mandatory Encryption the Answer?
To prevent data loss, these IT professionals use mandatory encryption, endpoint integrity checking, and auditing of mobile devices, according to the survey. More than one-third of enterprises have no risk control measures in place.
Unfortunately, two-third of organizations do not enforce their mandatory encryption policies, according to Gib Sorebo, chief cybersecurity technologist at SAIC.
"Corporations are trying to deal with the BYOD security problem through a number of different ways. One of these ways, particularly for USB drives, is to mandate encryption. That really hasn't worked that well," Sorebo observes.
Surveys conducted in 2012 found an increasing disconnect between IT and employees over BYOD security. According to an IDG Research survey, more than two-thirds of employees are using their personal devices to access the corporate network, yet few want security controls placed on their devices. Another survey found that a majority of enterprises admit that their employees use mobile apps that violate corporate policies. And a multinational survey of 4,374 IT practitioners by the Ponemon Institute for Acronis revealed that a majority of companies continue to put critical data at risk.
Even firms that have BYOD policies in place make exceptions for executives, who often handle the most sensitive data on their mobile devices. More than three-quarters of companies have not educated employees about the privacy risks from BYOD. Only 31 percent of firms mandate a device password or key lock on personal devices, and only 21 percent perform remote device wipes when employees leave the company, according to the Ponemon survey. Firms that do not protect privacy could face lawsuits from disgruntled employees.
In addition, not all employees see a link between their personal liability, the company's legal obligation to conduct business safely, and the quality and support of IT devices, according to Gartner.
Determine Risk Tolerance
For enterprises that decide to allow BYOD, they should determine their "risk tolerance." Sensitive data loss can cost much more than enterprises expect. According to the 2013 Cost of Data Breach Study compiled by the Ponemon Institute and Symantec, a data breach cost a U.S. enterprise an average of $188 per record lost and $5.4 million per incident. The number of lost records per data breach in 2012 ranged from 2,300 to more than 99,000, with the average in the United States being 28,765 records lost.
Enterprise costs from data breaches include the detection and response to the breach, notification to victims and regulators, customer retention efforts and lost business. The report is based on the data breach experiences of 277 companies in nine countries including the United States, United Kingdom, France, Germany, Italy, India, Japan, Australia and Brazil. To derive the cost estimates, Ponemon interviewed more than 1,400 individuals at these companies over a 10-month period.
Data breach costs could also involve class action lawsuits by breach victims and regulatory actions, including fines. For example, organizations in the healthcare industry could face hefty fines from the Department of Health and Human Services for data breaches. In the summer of 2013, HHS levied million dollar fines on two companies for data breaches involving sensitive medical information. As more and more healthcare enterprises allow physicians and medical staff to bring their own devices, data breaches involving medical information will increase.
Enterprises can no longer ignore BYOD security or hope that BYOD security issues will take care of themselves. They need to develop strong BYOD policies and employ technology, such as mobile device management, to enforce those policies. Otherwise, they will become yet another headline in the long, sad parade of data breaches.