It’s Not Just BYOD Policy Anymore
I wonder how many companies or firms are still pondering their first BYOD policy. One would almost assume that this decision is one whose time has past, that just about everyone would have addressed how they are going to live with employee use of their own devices. But, for those who haven’t, the bad news may be not just that they are behind that curve…the road ahead of them has an even sharper curve, one that can make seasoned policy-makers shudder; and make policy implementers and enforcers cry out loud. That looming issue is intrinsically connected to BYOD, just expands the playing field, not so much in stating the policy itself, but enforcing and managing it.
The prickly issue is – portable device application management…identifying the problem of users storing, sharing and, more often now, creating company documents in applications that are out of the company’s control. I just looked at the Share function for one popular blog that I follow; when I clicked on the Share button, a screen with 84 different application icons came up. That’s 84 (!) different places that one document can be routed by the person reading the document.
Now, granted that one employee is more than likely not utilizing anywhere near 84 apps to stick company documents out of reach; but the staggering number of social sharing and media storing apps makes tracking and restricting access so difficult, without even mentioning e-discovery. Companies have to face the reality that users are more and more likely to be using these apps as part of their BYOD, whether the company has a policy, approves BYOD use, or not…they are just going to do it. As a recent Technologist article ably points out, BYOD policies are a good and necessary thing to have, obviously…but the very actions the policies exist to manage are extremely hard to control. As their article states, if the employee is using a company-approved device, maybe…just maybe…the documents being stored/shared are backed up by a company server. But too often, the apps are “renegades” – new apps not yet under company watchlist, or apps that the employee is using without permission, the most likely scenario.
So what can happen, what can the company do. If the company becomes aware of an employee creating, storing or sharing documents frequently or erratically as against policy, they still have leverage to get control of the device by having the employee deliver it…but this can depend on the strength of the policy and its scope. If the device is provided by the company, there is a lot more control and a lot less wriggle room to get the device. If the device is owned by the employee, the policy becomes that much more important, in terms of how well it spells out the company’s right to access the device so that the employee is VERY AWARE that this can happen. The real headaches start when the employee in question has left the company; now they may be looking at subpoenas or other types of court orders or incentives to turn in the device, in hopes the terminated employee can be contacted and the device still exists. Again, policy helps.
But what about those darn apps? What if they’ve been deleted, or what if the app developer won’t release data? At least if the app no longer exists, the data is possibly no longer being shared, but it is also no longer retrievable for litigation or regulatory matters. One solution of sorts exists for company-owned devices where the company can restrict what apps can be loaded on or accessed by the device; at least the path for moving documents becomes more difficult. Another possibility is providing company-controlled and -accessible document storage devices for the employee’s device, with training and guidelines that clearly state the employee is to store and use company data only on those apps.
It is impossible to totally stop employees from making off with documents, or using unauthorized apps or other nefarious activities completely. Just as with any other activity, honesty and individual responsibility is what will “prevent” data loss. But, recognizing that things will happen, a company has to recognize the potential threat, and do what they can to put protections in place, including technical protection, policies and punishment; but most importantly, they must have responsible and mature employees and properly train them with a heightened awareness of what the “right thing to do” is. A seemingly overlooked fact is that far more data is lost through lack of training and awareness for employees than through malicious acts such as theft; companies need to understand that, if they will treat their employees as adults, train them properly and make them aware of the consequences of improper acts with company information, they can alleviate a lot of problems. But the company still must become savvy about BYOD and the apps that proliferate along with them, and implement methodologies and policies to address their existence. And sooner, rather than later…or too late.