"It's a wave that's not stopping," said Wayne Wong, managing consultant at Kroll Ontrack, in an interview. Kroll Ontrack specializes in data recovery, e-discovery, and other legal applications of technology. "Even if you attempt to put a policy out there that prohibits the use of personal devices, you'll see a lot of them every day, more and more."
That leads to one of the critical issues inherent in the BYOD approach, company-sanctioned or not: Mixing personal and corporate data willy-nilly. Small and midsize businesses (SMBs) sometimes face a more significant struggle on this front than large enterprises. "It's very hard for them to be more controlling [of data] like some of the larger organizations are able to achieve," Wong said.
[Smartphone owners, it's you versus bad guys and nosy apps. Protect yourself with 10 Steps To Smartphone Privacy.]
This can be a huge problem for firms that operate under regulatory restrictions. But even SMBs that aren't dealing with a heavy compliance burden could find themselves in a lawsuit or other situation where data integrity and retention become critical. Wong notes that SMBs can sometimes be overwhelmed by the data implications of a BYOD approach; they could just as easily ignore them altogether. Here are four interrelated strategies he recommends for harnessing the upside of BYOD while managing associated risks.
1. Technology Use Policy
Step one in ensuring a strong, manageable approach to data retention is to create a policy that outlines what is--and what isn't--acceptable for employees to do when it comes to personal mobile devices, applications, and other tech tools. "Policy or governance is the starting point that will then drive procedures and processes," Wong said. "Companies really need to make it clear to employees what is appropriate and what is not appropriate regarding the use of technologies such as Gmail or other personal e-mail accounts and social media, for example." That policy also needs to explicitly cover employee responsibilities for retaining and storing data. (See #3 for more on this.)
2. Employee Education
Assume the concept of data retention has never occurred to most of your staff--because it probably hasn't. "SMBs should organize periodic training so that employees can clearly understand the appropriate and inappropriate uses of their personal devices," Wong said. This training should cover things like social media usage, personally identifiable information, strong passwords, and privacy settings. Regarding the latter, Wong notes a common misconception among users: Confusing privacy with privilege. In the event of a lawsuit, an employee's social media data can be discoverable regardless of privacy settings--make sure employees understand that.
3. Data Segregation
Wong advises SMBs to make data segregation a fundamental practice--namely, keep corporate and personal data separate for retention purposes. This can save you a ton of headaches in the event of litigation, compliance-related audits, and so forth. The best way to enable this is to provision corporate storage space and make clear to employees the processes for backing up their data there--and for keeping their personal info out.
4. The Social Factor, Redux
Social media should be a critical part of the aforementioned education and training, but it gets an encore here because it flies in the face of #3. "One of the dangers of social media is that it does not allow a segregation of your professional life and your private life," Wong said. A simple example: The second someone lists their employer--and all of their previous employers, to boot--on Facebook, that line instantly vanishes. "When people post things--whether pictures, opinions, comments--all of that now is exposed to scrutiny, regardless of the impression that Facebook gives you that you have privacy settings," Wong said. He added that the legal system is increasingly inclined to consider social media information discoverable in lawsuits; user privacy settings are irrelevant.
The social business boom also points to an underlying issue that Wong thinks employees often don't recognize when they bring personal technology into their jobs. Caveat emptor, modern worker: "I don't think people understand that, when they ask to use a personal device and get blessed, they've agreed to the fact that now anything they do on that personal device can be argued to be company property," Wong said.
To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In our How (And Why) Attackers Choose Their Targets report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain. (Free registration required.)