Survey: BYOD Security Policies Must Also Address Privacy

Enterprises have been so caught up in the scurry to develop BYOD security strategies that protect corporate resources that they have overlooked the inherent privacy issues around controlling and monitoring personal information on devices employees own.

"A lot of conversation about bring your own device is around how to make corporate data secure," says Purnima Padmanabhan, chief operations officer at Moka, a virtualized desktop company. "But I think a bigger part of this discussion is how to keep personal data private."

It's a sticky situation with both legal connotations and the potential to set off a firestorm of controversy among employees if handled poorly. In fact, a survey of more than 335 technologists released by Moka5 last week showed that even among IT workers--those who recognize the importance of controlling user access to corporate data--77% think current mobile device management (MDM) approaches are too intrusive of employees' privacy.

There have been a number of litigated cases over the years that have set precedence for employer monitoring of user behavior on corporate devices and PCs. But the legal expectations of privacy concerning personal devices isn't nearly as clear yet. According to David Navetta, founding partner of Information Law Group, organizations need to be aware that the fact that the employee owns the device could be a game-changer.

He says organizations have to tread carefully, balancing their BYOD security goals with employee privacy concerns and potential legal limitations.

"Expectations of privacy in this context may be higher because a personal device is at issue, and this should be taken into account by companies considering a BYOD strategy and informing their employees of privacy-related issues," he says. "If monitoring or an investigation is necessary, organizations should design their efforts in a manner that seeks to minimize the potential exposure of personal and private information."

However, this caution needn't cause organizations to can their BYOD plans altogether. Moka5's survey reported that 88% of organizations currently have users connected to enterprise resources--whether sanctioned or not. According to Craig Mathias, principal at analyst firm Farpoint Group, the propensity of workers to turn their nose up at corporate device policies indicates that a higher level of "consciousness raising" among users is needed. BYOD security training should focus on the message that the privilege of accessing corporate information with their devices brings with it certain responsibilities and limitations.

"Yes, BYOD is here to stay. But it means carrying one device of your own choosing within reason--BYOD does not mean bring every device," he says. "If you have a reasonably restricted universe of devices to choose from and you have the right tools in place to manage them and the right policies and you've raised consciousness, BYOD can be imminently successful."

As organizations define those limitations, they need to consider not only the legal and corporate culture implications around policy, but also the reality of how BYOD is currently in effect.

"Policies should not be aspirational and should reflect the 'reality on the ground' as closely as possible," Navetta says. "If certain BYOD activities are already taking place, it may be necessary to develop policies that reflect those activities or terminate or limit certain activities on a going forward basis."