We're all walking around with desktops in our pockets, potential breaches in our britches, and we are not adequately protected in our Bring Your Own Device (BYOD) culture, says George Mason University Information Systems and Operations Management professor Nima Zahadat.
Zahadat cannot comprehend how we can be so dependent on our personal mobile communication devices and yet so nonchalant about protecting the confidential work data accessible on them.
In an ongoing follow-up study to his earlier work, "Effect of BYOD on Today's Enterprise Security Systems," Zahadat has created a framework for employers to deal with the BYOD issue—if they are willing to acknowledge there is one, regarding the enormous amount of work information available on devices not owned or monitored by employers.
"Nobody likes to mention it, but this is a huge problem," Zahadat says. "It's at every level of the government, of corporate America. But there's practically no research in the area. Most researchers don't even touch it because they don't know what to do with it.
"Companies have to get over this idea that it's not about the desktop. It's a whole new paradigm that people in IT and management have to embrace."
Mobile device management (MDM) tools, regardless of their claims, do not fully secure smartphones and tablets, Zahadat says. Safeguarding the devices will require a combination of technology, policy and user responsibility.
Think about the sensitive work information stored on our personal devices, on which we mindlessly toggle between business and amusement: A doctor uses her personal iPad to photograph a patient's medical record for consult, and the record later gets transmitted unwittingly. That's a serious privacy violation. A vacationing executive downloads a sensitive corporate document and later has his phone stolen. Company secrets are now in the hands of a stranger, or a competitor. Or we lose our phone and have no idea whom might now have access to company data.
"This happens on a regular basis," Zahadat says. "We don't like to talk about it. But this happens all the time."
Most employers have not been inclined to address the BYOD issue, Zahadat says, because they are accustomed to benefiting from these devices for free. The employers are not buying the phones; they're not training employees on how to use them; they're not paying for upgrades to the devices; they're not providing technical support; and they're not paying for the airtime charges. The employee foots all of these costs. But with that hands-off approach comes risk for the employer.
Restricting mobile devices, such as the military or government does in highly classified areas, would not work in the business world, where we all want uninterrupted access to our phones. Issuing work phones would be costly and confusing, requiring an extensive infrastructure, and inevitably would lead to more lost and stolen devices.
Instead of issuing their own devices, Zahadat says that companies would be better off formulating and enforcing a policy that encourages employees to use their smartphones and tablets in a way that minimizes risk to the employer.
In his latest study, Zahadat has created templates that take into account the needs of a company and then recommends the proper technology, policy and employee cooperation needed to secure the BYOD devices.
For instance, part of a policy can include requiring a phone to have a VPN (virtual private network) subscription service that enables private use on a public network and encrypts the information. Another example would be a "container" approach that would allow access to data in a restricted form. Transferring data could be permitted only via encrypted sessions that require special authentication to access.
Employees also could be required to promptly report lost or stolen phones, with the company having the option of locating the device by GPS or wiping it clean. These strategies, however, raise privacy concerns.
Under Zahadat's framework, employers also would need to make sure that the security requirements are easily and frequently explained and reinforced, with clearly defined consequences for repeated or serious violations. Policy reminders, via texts and e-mails and, most importantly, in meetings, would become part of the work culture.
A hassle, yes. But quite possibly a necessary one.
"Most managers have a policy of 'I just don't want to even deal with it. I'm sure people are behaving.' Then when something goes wrong, they try to bring down the hammer. That doesn't work.
"If you make the policy implementation ongoing, it becomes part of the fabric, structure and operation of the organization," Zahadat says. "Really, that's the only way to do it. There is no shortcut."