Bring your own Device Dangers in Data Protection

Bring your own device (BYOD) can look like a few different things depending on the organization, but in short it’s the use of someone’s own personal device for business purposes.  Using your personal smartphone or laptop to connect with and conduct business; whether it’s a phone call, text message, email or corporate network access.  The following upsides seem fairly obvious for both the user and the business.  The employee gets to use what they are already familiar with in their own computer or smartphone, and the company doesn’t need to spend money on a device(s).  At the same time, the downsides should bring-your-own-deviceseem pretty obvious as well, especially in terms of security and data protection.  The employee may get a stipend or reimbursement of some sort for the use of their device but at the same time they oftentimes end up doing their own IT versus depending on the company for that skillset.  Also, there’s now company data filling up their device and suddenly you don’t know when the phone rings if it’s going to be a friend or work.  From the company’s perspective, again, this is not always thought through.  Now the company’s data is on your employee’s computer or phone.  There are some software packages that can be installed on the computer or phone to containerize the company’s data.  While this offers some control, they often offer varying degrees of success as well as complexity in management.  In short, it’s possible to put some controls in place on your employee’s computer to protect the use of your data, but at the same time there are potential issues as you don’t own the computer.  If you are wondering, “Why is this being discussed in a forensic post?”  Hopefully it’s becoming clear! This is particularly true when it comes time to part ways with the employee, either amicably or Jerry McGuire style.

It’s important to have the review process in place, to ensure nothing was detrimentally done with your data.  This needs to become SOP during the exit, and until it becomes ingrained it can be forgotten in the moment, particularly in a usb-device-data-theftdramatic one.  Securing a company’s data is much more top of mind though when you’ve been implementing best practices in regard to information security from the beginning.  If you have some sort of container software and/or data loss prevention software installed, you can gain a lot of insight.  However, the fact is neither of these is typically installed.  This is particularly true in a smaller business where there tends to be more inherent trust in your employees and co-workers.  Whether this loss is just the lack of a key role that employee filled in the organization, or more to the point of this post, the loss of data that they had on their computer or device.  And remember, if it’s their computer you will be at a disadvantage if they up and leave and you want to get your data back.

While there is obviously a cost associated with providing a laptop and work phone, I can assure you the cost pales when compared to the expense of retaining counsel and filing a lawsuit in an attempt to get the court to force the party to turn the device over for inspection.  What’s more, you may not even have enough evidence to get such a request granted.  Especially since the bulk of the personal-laptop-business-use-data-protectionevidence that is typically needed will more than likely reside on their computer and/or device!  In addition, this is not something you normally get multiple cracks at.  How can I say that?  From experience, and the end result doesn’t always favor the good guys who just didn’t think through what may happen, by not providing equipment and the proper documentation for their employees.  Look at it as insurance and the cost of hiring an employee.  If it’s not affordable for a company to do it the right way in order to protect their business and assets, maybe it’s not time to hire a new employee just yet.  Or, perhaps the business has gone from the few man operation to a dozen or so folks and they don’t have the framework as described.  Keep in mind, it’s never too late to start implementing a data protection plan…unless that is they’ve already dashed off with the company’s valuable trade secrets and ways of doing business!

Share this: