Simply Security - News, Views, and Opinions from Trend Micro

Posted on August 28th, 2012 in Current News, Data Privacy by Simply Security | Be the first to comment | Tags: Data Privacy

Mobile data privacy is become a real concern from both personal and professional perspectives.

Although it has only been on the scene for a short time, the BYOD (Bring your own Device) movement has already inspired several evolutions of opinion.

Early adopting companies were delighted by the extended productivity and improved cost-efficiency offered by the more flexible strategy. Then as BYOD was starting to garner mainstream support, rampant security concerns forced business leaders to reexamine their initial analyses.

But now that companies are starting to adapt more proactive mobile device management strategies, some are suggesting the scales have been tipped too far back in the direction of corporate control.

While consensus on resolution strategies has been hard to come by, it's become clear that data privacy is now the dominant issue in BYOD policy and management.

Corporate control over employee data

When companies first opened the floodgates to BYOD, early returns supported their initial optimism. Employee morale was high, remote access capabilities effectively extended the work day and innovative tools enabled performance breakthroughs that were previously unachievable within the confines of the legacy IT ecosystem. Unfortunately, these advantages were soon counterbalanced by the unique risks employee-owned devices brought to the organization.

With IT professionals playing a reduced role in device regulation, common employees found themselves in over their heads trying to deflect security attacks. From leaving unattended devices without the benefit of password protection to unwittingly rolling out the red carpet for malware from third-party application markets, compromised personal devices were becoming professional liabilities.

As a result, IT and business executives decided that more restrictive regulation was needed to preserve security and compliance priorities in a BYOD-enabled workplace. The result has been the implementation of more explicit usage guidelines paired with powerful mobile device management tools that can monitor employee behaviors and even intervene in certain scenarios. But while this has helped companies make significant strides in risk management, it could be coming at the expense of personal privacy.

With employee devices hosting both private and professional applications and information, keeping work and play separate has been a technical challenge. As a result, some of the more invasive security controls have dipped into employees' personal lives, including sensitive data held in address books and social media applications.

But while this was initially dismissed as a case of employees trying to have their cake and eat it too, even IT managers are starting to express their reservations. In the latest industry survey from MokaFive, 77 percent of responding security professionals expressed some form of displeasure with how mobile device management software was being used in their organizations. Several cited what they believed to be unacceptable privacy violations and indicated they would not want the technology governing their own smartphones and tablets.

According to Computer Weekly, these issues represent much more than just employee sensitivity. In fact, overaggressive BYOD management tactics can have real legal consequences.

Although legislation varies from country to country, most all jurisdictions will expect companies to acquire explicit informed consent from employees prior to accessing and processing their personal data. Features such as device activity monitoring, location tracking and remote data wiping could be of real concern to employees. For instance, workers could demand restitution if companies inadvertently deleted the contents of a personal device in an unauthorized scenario.

Employee control over corporate data

Although the majority of privacy debates have centered on consumer data protection, companies also have a serious vested interest in how corporate data is being guarded on employee-owned devices.

As MokaFive analysts alluded to, BYOD often opens the door to risky applications that would not have been authorized for use if IT teams have their way. Two-thirds of survey respondents specifically cited concern with commercial cloud storage utilities, such as Dropbox. Even if service providers are employing encryption, the keys – and thus data security responsibilities – reside in the hands of an external organization.

Once again, this introduces a host of potential legal issues for the BYOD-enabled organization. According to the New York Law Journal, allowing employees to store and access mobile data as they wish could quickly put a business out of compliance. Particularly with sensitive information, such as insurance records and customer transactions, there are any number of data protection standards to which the common employee may be unaware.

Additionally, personal smartphones and tablets have become a leading source of corporate data leaks. From lost devices to phishing attacks, there are any number of ways employees can unwittingly hand over corporate assets to unauthorized viewers. And though they may wish to avoid thinking about worst-case scenarios, IT teams also need to start worrying about rogue workers.

According to the New York Law Journal, a number of companies have been burned by incomplete data protection measures that allow workers to gain access to sensitive resources even after they leave the company. Compliance considerations aside, this could also affect competitive standing. Disgruntled employees or former associates could be shuttling trade secrets into the hands of business rivals from their mobile touchscreen.

Toward intelligent BYOD

With both personal and professional interests threatened by irresponsible or incomplete mobile data privacy strategies, the next phase in BYOD's progression will likely be a more enlightened focus on data rather than simply the devices in which it is carried.

"BYOD isn't just about securing or even managing mobile devices," Farpoint Group analysts and MokaFive research coordinator Craig Mathias explained. "There are major requirements in consciousness-raising, policy definition and enforcement and end-to-end solutions that include not just devices, but the enterprise data they increasingly contain."

The good news, according to Computerworld, is that this data-over-device paradigm is finally starting to take root in the business community. In fact, even the term mobile device management is falling out of favor and being replaced by an emphasis on mobile application management. Whereas employees can certainly get into hot water on the open Internet, the majority of problems seem to come from the way applications store, transmit and enable access to data.

Data Security News from SimplySecurity.com by Trend Micro