Building the best BYOD policy

 Imagine a situation where a regulator knows exactly what information concerning your business relationships with suppliers, customers and competitors is on your employee's iPad, but you do not.

Not a risk for you? Then imagine a situation where confidential or sensitive business information is leaked because it exists on an employee-owned device and that device is stolen or left on a train. If you allow employees to use their own devices for work, it could happen today or next week. Your information could be leaking right now.

If not now, these are exactly the situations that are likely to face businesses more often in the next five years unless steps are taken to actively manage BYOD (Bring Your Own Device) policies for the benefit of existing information governance frameworks.

BYOD is a concept that most companies now recognise as a feature of their business, whether they officially endorsed it or not. Our business behaviours are evolving at a rate that would make Darwin proud. To stay ahead of your competitors requires that business processes are carried out faster and more flexibly than before. BYOD is great for this but it also has its complications.

Living in the age of compliance

We live in an age of compliance, where the number of regulatory investigations has grown significantly over the last 10 years. Antitrust infringements have been vigorously pursued by national and international competition authorities and more recently concerns about price-fixing have become one battleground in a greater war against corruption driven by the economy (and austerity measures), legislation (such as the Foreign Corrupt Practices Act in the USA and the Bribery Act in the UK) and the media's renewed focus on morality (phone hacking, expenses, bonuses, tax avoidance and LIBOR).

This has also had the positive effect of encouraging businesses to conduct their own internal audits in order to foresee potential exposure to risk and to proactively embed a culture of compliance within their team. All of these types of investigations rely on analysis of electronic communications.

BYOD presents an opportunity for would-be information thieves and not in the ordinary sense. Cyber security attackers could target businesses with no formal BYOD policy. Putting hi-tech crimes to one side, there is always the risk that an employee could be carrying highly sensitive data on their iPad and that the device could be lost or stolen. 

Enhancing an existing BYOD policy

So how should companies prepare themselves for BYOD? If you are asked to consider creating or enhancing an existing BYOD policy, here are some things that you should know:

•  BYOD is probably happening anyway within your organisation, so there should be some rules to guide employees as to the extent of its permissible use. Even if you decide that BYOD is not allowed, you should have a policy which states exactly that and addresses the grey areas around use of personal devices for conducting business.

• Ericsson recently predicted that mobile phones will outnumber people within five years. In their Traffic and Market Report (June 2012), they observed that "mobile subscriptions now total around 6.2 billion. However, the actual number of subscribers is around 4.2 billion" suggesting that many people own (or at least use) more than one mobile device.

• If a person is engaged in misconduct or conduct that could harm the reputation of their employer, they could be using their own devices in order to evade detection.

• In December 2010 the Croatian Competition Agency established the existence of a cartel between two competing media agencies. Evidence was found in the SMS messages exchanged between senior executives at both companies.

• Inconspicuous devices such as iPods have enormous data storage capacity and have been used to steal information from business premises.

• Information on business mobile telephones could be at risk if users are permitted to use alternative SIM cards on those devices.

• The interaction of devices (i.e. the connection of a mobile device to a desktop PC or laptop) is traceable through the logs of the computer, meaning that records of device connections (detailing device types and serial numbers) can be audited.

• In some jurisdictions you cannot easily interrogate an individual's information held on a company-owned device without consent. To examine a person's own device in this jurisdiction, without their consent or knowledge could result in a criminal prosecution under the Computer Misuse Act 1990.

• Records management interests are increasingly contemplated by HR and employment law professionals to the extent that the development of technology is now reflected in some modern employment contracts.

The BYOD landscape is clearly a minefield of issues for legal counsel and IT and HR professionals to navigate. The task of drawing up an organisational policy is complex and should not be considered a one-off task; new products enter the market frequently and updates to local laws can have an impact on existing BYOD frameworks.

What makes good policy

As a minimum, it is suggested that the following components should be addressed in any BYOD policy:

 • Risk assessment. As a starting point, you should recognise that information, rather than devices is the critical issue in the BYOD debate. Therefore your risk assessment should begin by asking what information you are trying to protect and what information you would need to be able to access in any given situation. Organising your business information into clear and recognisable categories, is essential to any document management policy, especially one related to BYOD.

• Ownership of information. Consider who owns the information that may be held on an employee owned device and what rights you consider that the employer has to access it directly from the device. 

• Ownership / registration of assets. Since assets can be numerous and varied, it is a good idea to consider the extent to which only registered assets may be used. If an employee chooses to use a non-approved device, it may be possible to detect its use through monitoring and auditing of the registry of a computer's hard drive (depending on the type device connected). This can be used to identify whether 'foreign' devices have been used and whether information has been copied to the device.

 • Right to audit devices. Make sure that the right to audit and access information is clearly understood between the employer and the employee. Finding that you are unable to examine an employee owned device could be highly problematic if the information is needed in a time-critical situation (such as to support a leniency application, or to prevent a fraud).

• Data privacy and human rights. Using part of the memory of an employee owned device to store business information is going to be a problem because the remainder will contain personal and private information. Some of the measures that can be adopted to keep business information secure (below) could be helpful in keeping it separate from private information and centrally accessible. 

• Security of business information. For BYOD to work, employees must agree to some controls designed to safeguard the information stored on their devices. At a basic level, encryption can be used to prevent unauthorised access to information. However, the emergence of business-developed apps and cloud-type solutions, can be used to ensure that business information is only accessed through the employee owned device; never stored on it. If business information must be stored on an employee owned device, then businesses may consider the usefulness of applications to wipe the device remotely in the event of a potential data breach. The ongoing security of confidential information should also be protected post-termination of contract, prompting the inclusion of BYOD issues in HR exit procedures. 

• Sensible curfews to the permissible use of employee owned devices should be issued. For instance, employees should know never to plug an unrecognised device into a business network computer. Similarly, it may be helpful to devise rules that govern the use of webmail from a home PC, or in an internet café. 

Adrian Briscoe is the general manager Asia Pacfic of Kroll Ontrack.