BYOD - Bringing your own device. To work, home, on vacation, to the can... whereever it's convenient.
Lately there have been some misleading hype and confusion concerning the use of these gadgets when it comes to the workplace.
First, let's step back for a minute and take a moment to reflect upon exactly what these things are - remember the days before the TouchPad, the Smartphone or the iPad products? What did we do when we needed to work on documents away from work?
We did things like... take the paper documents home or with us in our briefcases. Think of the briefcase as the TouchPad of today. Now, ask yourself this: How is that different from BYOD?
What about more recent times when we emailed our documents to ourselves and then worked on them from our home computers?
Times have changed however, and I'm not talking about the technologies involved. I'm talking about the rules and regulations we have to follow, and the best practices we as employees must abide by - as opposed to the days of the old briefcase - when it comes to protecting the data with which we are entrusted.
The concept of BYOD is nothing new: it allows us to work out of the office on certain, mundane work projects, just like we did when we worked out of our briefcases.
The point: Let's not get convenience confused with security practices and concepts concerning the vigilance of data protection.
- You should not be emailing yourself work documents, as a general practice. This is why companies are now employing DLP products that prevent the employees from doing these sorts of things
- You should only be working on company documents if you are using the company's secure remote access solution. This assures the document(s) remain confidential, available and maintains its' integrity
- You also should not hand-carry paper documents, using portable electronic storage devices or using any other means to physically transport company data from out of the company's network, unless it is an authorized, approved solution sanctioned by the organization. Again, this assures the document(s) remain confidential, available and maintains integrity
- Finally, using cloud services or services such as Google Docs to store company data is another no-no, unless of course previously approved, or an approved solution
The days of freely man-handling company data are gone. Employees have additional responsibilities today to ensure the security of the information they are charged with and BYOD does not change any of this.
In fact, times are moving now where the organization can no longer afford to rely on "employee best judgments" or even an employee's intentions, concerning the handling of information.
Unfortunately, organizations can no longer afford to trust employees to do the right thing, when they are clear about what is right versus what is wrong. No amount of training or awareness can cure malicious intents or care-free attitudes.
Hence the advent of DLP implementations, anti-virus/malware programs, hard drive encryption, SIEM and other logging practices... even cameras at the work place.
I have seen reports that pit "users vs. IT". This is absolutely not an "us vs them" scenario, it is the duty of all of us to protect the data we are entrusted with, first and foremost.
The only reason it turns into an "us vs. them", or really, a "employee vs employer" scenario is because the users have failed to realize (or fail to abide by) the philosophy that we all share the common responsibility of keeping our information safe, and just as importantly, keeping our customers' information safe.
BYOD is not a new concept. Ever hear of a laptop? Do you bring your laptop to work expecting full and unfettered access? I don't care about the number of employees who BYOD to work and play Angry Birds.
It's just a new technology, but it's another technology that must follow the same data access and handling rules that apply to all other handling methods, whether it be a briefcase or a home computer. If the company provides secure remote access methods, use them.
The alternative is definitely not to expose our data for your convenience.
Now can we move on?