Top

Deploying BYOD: Raising concerns for Global Users’ Privacy Rights

By agreeing to a BYOD policy, employees give up some control over their device

Bring your own device (BYOD) has emerged as a critical cog in the evolution of the modern-day enterprise. There are specific business advantages that an enterprise can achieve through BYOD implementation, heightened employee productivity due to greater satisfaction, as well as a significant drop in the costs vis-à-vis supplying and maintaining hardware, to name a few. An increasing number of corporates are allowing their workforce to bring in personal mobile devices and grant them access to enterprise applications in the coming years to enhance business agility. A recent report by research firm IDC pegs the estimated growth of the BYOD market in Asia Pacific (excluding Japan) at 40.4% in 2014.

That said, the repercussions of BYOD on corporate security are being seen as a challenge of mammoth proportions by IT departments that formerly exercised a seamless control over the entire enterprise IT network. As employees access the corporate network through a wide-gamut of devices ranging from smartphones to tablets and laptops, data security breaches have become commonplace.

Many organizations are grappling to fully delineate the impact of BYOD on their security posture, and establish acceptable procedures and support models that balance both their employees’ needs and their security concerns. It is crucial to have a BYOD policy in place that not only protects corporate data, but also follows regional laws for respecting employee privacy. Encryption, PIN enforcement, installation of anti-malware and anti-virus protection on the device, and mobile device management (MDM) tools all have the potential to violate a user’s right to privacy. In most countries, organizations can’t legally do any of this without consent from the employee.

BYOD Policy - Being Transparent with Employees

While developing a BYOD policy to enforce security in an organization, it is important to be transparent with one’s employees about their responsibilities as dictated by the BYOD policy. Not only must employees sign off on protecting company data, they must also have complete understanding of what they are signing, and must keep the organization in confidence regarding the implications of the policy.

In other words, by agreeing to a BYOD policy, employees give up some control over their device and should expect a loss of personal privacy. They need to understand that, with access to their personal device, IT can lock, disable and wipe the data from the device (or delete all data on the phone), view browsing history, personal emails, chat and messaging histories, pictures, videos, and other media. Beyond knowing what IT can do, users must understand exactly what will happen if the device is lost or stolen, or if they leave the organization.

One-Size-Fits-All BYOD Policies – Global Outlook

Since privacy laws differ from country to country, global organizations may find it especially challenging to implement a common, one-size-fits-all BYOD policy that is business-wide. In India, the regulations for user’s right to privacy are not comprehensive enough. The proposed Right to Privacy Bill is pending approval from the government. Ovum’s report, “International Data Privacy Legislation Review: A Guide for BYOD Policies,” discussed how data privacy laws differ across seven countries (the U.S., U.K., Germany, China, Australia, France, and Spain), but, two main points are consistent to all:

1. Adequate measures must be taken by organizations to ensure that client or patient information, or any other personal data that they process, is secure.

2. Employees must provide consent for their private data to be accessed and processed by an organization.

Organizations have struggled with presenting the end user with an “agreement” that protects both the users’ privacy and the organization – legally and technically. As many users are working remotely, the paperwork or validation of legal agreements can be an expensive affair. Fortunately, there are ways that help organizations grant or deny access by presenting end users with a dynamic remote access usage agreement. From a completely remote location with access to a network, organizations can present regionally specific agreements over the VPN connection, which can be regionally specific and updated as needed.

A real and comprehensive solution to the problem is not just limited to the legal paradigm, but it needs to be technically relevant as well. Companies need to employ BYOD in a way that technically assures protection of their data when it is accessed by a personal device. Most importantly, while doing all this, organizations need to ensure that they remain cost efficient as well. Fortunately, secure mobile access solutions can now support a capability called per-app VPN, as well as end point control. These technical features allow a requested VPN connection to only allow data to flow from a defined network to a specific application on the mobile device (per-app VPN), and also permit the remote device to enforce the presence and absence of particular applications.

Bottom line is that a company needs to not only acquire all the legal agreements between itself and users without costly interactions or delays, it must also be simultaneously ensured that the data lands only in targeted applications — whether they are common or customer apps, or an MDM solution. If this can be achieved without requiring special app-wrapping, application challenges will be radically simplified.

Keeping Away from Compliance and Regulatory Violations

In the absence of a one-size-fits-all template for BYOD policies, having the necessary capability to treat each user differently is critical. If an organization can customize the means for obtaining consent for different users in various geographies, the enterprise can keep a track of user acceptance of terms. If it is an automated part of the workflow, it also will protect the organization by ensuring there is an audit trail.

Adherence to regional privacy laws is something every organization doing business globally should take seriously. The risk landscape of a BYOD deployment must be assessed carefully. Data protection in the corporate data center, as well as data in-flight and stored on the device, is high on a CIO’s priority list. It is also imperative to protect the corporate network from malware that can attack through mobile access. But while ensuring data security, an organization must safeguard itself against any financial risks that may arise from not having the requisite permissions from end users to monitor their personal devices — the penalties for failing to do so can be a pain point for the business. However, in the Indian context, a concrete framework apropos user privacy needs to be charted, before a structured BYOD policy reflecting the Indian ethos emerges.

Shared by Murli Mohan, General Manager, Dell Software.

Views and opinions expressed in this article are those of the authors and do not necessarily reflect or represent the views and opinions held by DC.

( Source : dc )
Next Story