Perspectives Newsletter

Spring 2013

Articles In This Issue

Have you had a data breach?

If you have any questions about our resources or any topics related to Experian Data Breach Resolution, please contact us at databreachinfo@experian.com or call 1 866 751 1323.

BYOD Doesn't Always Have to be a Risky Proposition

Is your organization resisting the “bring your own device” (BYOD) craze? If so, it might not be able to hold out much longer.

Mobile devices appear to be exploding in popularity with no signs of easing up. At a recent mock debate held at the IAPP Global Privacy Summit, our panel focused on the differences between employer and employee views on BYOD and corporate policy. It pointed out the discrepancy between what corporations expect of an employee’s use and what employees understand the terms of use are for personal devices in the workplace. A hot topic for today’s employer for sure. The fact is more smartphones were sold last year than laptops and desktops combined.1 And a study conducted by Varonis found that 86% of the respondents were “device obsessed,” meaning they check their emails, texts and voicemails all of the time.2 This obsession then flows into the workplace, where another study found that 78% of the respondents were allowed to bring their own devices to work.3

While the BYOD phenomenon may make employees happy, it can create quite a stir among executives and IT pros. And rightfully so. Without the right policies and technology in place, a BYOD program can lead to an increase in data breaches, often resulting in the loss of customers, partners and an organization’s reputation.

Here are four tips to help mitigate the risks of a BYOD program.

1. Policies are important

There are two types of policies that can be implemented with a BYOD program, according to industry experts. First, an “acceptable use” policy can be implemented to protect your organization from guests’ activities that could pose security risks.

Second, and perhaps more important, would be the establishment of security policies. These policies are designed to protect sensitive company data, including customer information. To reduce the risk of losing sensitive information, the policies should define the data and clearly spell out who can have access to it and under what circumstances. As was highlighted during the BYOD Mock Debate at IAPP, the disconnect between organizational policies and employee recognition of these policies can create a significant security risk. 

For example, an employee might download questionable material or open a link containing a virus that quickly spreads throughout the organization. Under more extreme circumstances, you may have an employee who downloads sensitive customer data to their own device and later sells it on the dark web.

To avoid these unfortunate situations, organizations need to have strict policies. And, the policies need to include penalties to make them effective.

2. Don’t forget about encryption  

Encryption on mobile devices continues to be problematic. Only 24% of the companies in the Varonis study encrypt mobile devices.4 This is a significant risk to organizations because a common cause of data breaches is the loss or theft of unencrypted devices. Mobile devices that contain sensitive data should be encrypted with up-to-date software that can restrict who has access to that data.

3. Mobile Device Management (MDM) software should be incorporated

BYOD programs should also incorporate MDM software. MDM typically includes over-the-air distribution of applications, data and configuration settings. This type of software can reduce the risk of a data breach by controlling and protecting the data and configuration settings for all of the mobile devices in your network.  The BYOD Panel Mock Debate at IAPP also discussed the need for separating personal data from company data on mobile devices, and the need for MDM.  Data stored using cloud based services further adds to the complexity and need for MDM.

4. Multi-factor authentication adds more protection

Organizations would be wise to use at least two - if not three - factor authentication in their BYOD program. Unfortunately, many employees that bring their own devices still just employ a username and password to access their device for work. With two- or three-factor authentication, it becomes much more difficult for a thief or unauthorized individual to access that device.

Since the popularity of mobile devices is expected to continue to grow, businesses must prepare for the trend. Organizations may be able to increase productivity by having employees use their mobile devices, while still limiting the risks of a data breach by developing a solid, secure BYOD program.

To watch the live panel debate visit http://www.ustream.tv/ExperianDBR


1 HP 2012 Cyber Risk Report

2 Varonis BYOD Research Report, January 2013

“Is Your Company Ready for a Big Data Breach,” Ponemon Institute, March 2013

4 Varonis BYOD Research Report, January 2013

  • © 2014 Experian Information Solutions, Inc. All rights reserved.