If your organization has a BYOD (Bring Your Own Device) policy, there’s a couple more things you’ll need: Education for your employees and security on the software side.
We’ve spoken before about some of the technological and policy issues of BYOD for enterprises running mainframes.
Much of the concerns around BYOD in the enterprise revolves around the things organizations must do to protect their data. However, employees also have a responsibility for keeping data safe, and should have a reasonable expectation of privacy for non-work related applications and data that they use. This is true for both company-owned hardware as well as personal devices from which they use company applications and access company data.
In companies that have embraced BYOD, employees will want to know that their personal data is not accessible by their employers. For example, the company is typically able to see into an employee’s work email. But if the employee also has her personal email profile on her device, her manager shouldn’t be able to access that. Also, an employee may not want his boss to see his email correspondence with his oncologist. Does management have open-ended access to a mobile device’s GPS data? Many employees might consider the ability of their employer to track them through their mobile device an invasion of privacy. Also, employees may not want their employer to see what other applications they have installed or what websites they visit on their personal devices.
What do employees need to know?
Employees can help keep company data safe on their personal devices by following some basic data security principles and taking steps to keep their personal devices as secure as possible. However, the IT security department will have to take responsibility for educating and training employees on how they can help keep data secure. They will need to teach employees:
— To be wary of public Wi-Fi networks and to use HTTPS and SSL whenever possible
— To avoid downloading applications from unfamiliar websites
— What to do if a device is lost or stolen (who to contact, how to remotely wipe the data)
— What to do with an old device after an upgrade or after leaving the company (Will the old device be wiped completely or will only corporate apps and data be removed? Does the business have the right to wipe the whole device, if it is believed to be compromised?
— What the device password requirements are
— That they should not jailbreak devices they use to access corporate data since it can make the data more susceptible to breach.
Who is ultimately responsible for data security?
Companies also have to determine who is responsible for support. The IT department should expect to help employees with business applications, but will they also have to take responsibility for supporting many different types of devices too? Probably not. Employees may need to turn to their carriers and device manufacturers for hardware and network related support.
IT security departments will always have the bulk of the responsibility for keeping data secure. That is why they should place the bulk of the security requirements on the software side instead of being dependent on device level security practices. The data should be secured on the mainframe’s side, not on the device side. A centralized identity and password management system helps the IT security department to maintain control over access to the mainframe’s resources.
Employers need to be concerned with data security while also being sensitive to the user’s need for privacy. And employees need to exercise common sense as well as take the time to educate themselves about the steps they can take to keep their devices safe and their business data secure.