On August 13th, three Privacy Commissioners (of Canada, British Columbia, and Alberta) issued guidelines informing businesses of the risks in implementing bring-your-own-device (BYOD) programs, and with good reason.
Before proceeding, here is a quick refresher on BYOD programs. BYOD is an extremely popular trend in which employees bring personally-owned mobile devices to the office for work purposes (we’re talking, of course, about devices like smartphones, tablets, or laptops). The significant point here is employees are accessing sensitive company information through these devices.
Many managers know about and implement BYOD programs, and with the recent increase in mobile device usage and ownership, BYOD might seem as a viable alternative to business-owned IT. What employers sometimes ignore are the risks associated with this type of program. All three Privacy Commissioners voiced important concerns about BYOD in their joint press release.
"Allowing employees to use their mobile phones, tablets and laptop computers for both personal and professional use carries significant privacy risks – particularly when one world collides with the other," says Privacy Commissioner of Canada Daniel Therrien. "Companies need to consider the risks in advance and prepare to manage them effectively. Only then could they conclude whether a BYOD program is right for them."
"Both IT professionals and staff participating in BYOD programs need to be trained on acceptable use policies and other responsibilities. Without buy-in from senior management, companies may not provide the resources and support needed to effectively implement these programs to protect both employers and employees," adds Jill Clayton, Information and Privacy Commissioner of Alberta.
"Companies also need to bear in mind that despite their best efforts, bad things can happen. Devices may be lost or stolen and personal information may be compromised," says Elizabeth Denham, Information and Privacy Commissioner for British Columbia. "Having a formal incident management response plan in place is crucial to ensuring incidents are detected, contained, reported, investigated and corrected in a consistent and timely manner – as is employee training and awareness of the privacy and security risks."
The concerns of the Privacy Commissioners are in line with statements and articles that we at Cimpl have been putting out for years. The logic is simple: You cannot apply the same security measures/usage restrictions on employees’ personal devices as you would to company-owned IT.
That’s why upper management in companies must conduct a full assessment of the risks and rewards of BYOD programs and address them before considering implementing this type of policy. To further quote the Privacy Commissioner of Canada,: “Rules governing the acceptable use of devices, corporate monitoring, the sharing of devices, app management, connection to corporate servers and responsibility for security features, software updates and voice or data plans should also be explicitly laid out in a BYOD policy.”
These rules must be set in place in order to maintain control over the use of company data and sensitive information. If this is not done correctly, there will be increased chances of data breach, information leaks, and other general security risks – all of which could jeopardize the company.
Reading the guidelines by the Privacy Commissioners is a good start to learning how to navigate these risks. In addition, Cimpl offers a free practical guide on BYOD that outlines the proper steps in how to set BYOD policies. Our guide also describes alternatives to BYOD that could benefit you.
Does your current wireless strategy include BYOD? Do you have a BYOD policy in place?