BYOD 'bill of rights' could allay security fears

A BYOD Bill of Rights has been proposed in a bid to protect both employees' privacy and business security.

ICO sparks debate on BYOD security
ICO sparks debate on BYOD security

In a new study of 2,000 people in the US, cloud-based threat detection firm Webroot found that numbers of personally-owned devices in enterprises continue to grow, indicating that there are now twice as many workers using personal devices as those issued by their employers.

Despite this, the rise of BYOD is being met by concerns over employee privacy and how secure these devices really are, the report reveals.

Approximately 60 percent of respondents admitted to having no security software on their personally-owned work smartphones and tablets, with another 37 percent relying solely on the device's default security settings.

IT teams may find it difficult to impose security controls, however, with nearly half of respondents indicating that they would stop using their device for work if a corporate policy required them to install a security program.

Concerns over performance and speed were cited as the top reasons for this, but employees are not averse to security measures being implemented – if they are involved in the process. Some 73 percent of respondents believed that employees should have some influence on the software or security installed, and 62 percent said that they would be “receptive” to security software on their personal devices, so long as the requirements were clearly communicated by superiors.

Study respondents also admitted that employers having access to personal data was their top concern.

Although Webroot's report focused largely on employee demands, it also looked at the risk to businesses and detailed how companies are fighting against devices being lost or stolen, as well as cyber-criminals carrying out phishing attacks, browser hijacking and malware as the new “way to get into corporations.”

As a result, the firm says that a BYOD Bill of Rights is required.

“The BYOD Bill of Rights was created as a guideline to bridge the gap between employees' preferences and the needs of the organisation”, reads the report. 

It goes on to state that this bill of rights should allow professionals to have privacy over personal information, be included in decisions that impact the data or the device they use for work, have the freedom to stop using it for work at any time, back-up in case of remote wipe, and be unencumbered by security apps that slow performance or hog battery life. 

It continues that users should be kept informed of device infections, remediation and other suspicious activity, and that they have the choice to download applications. 

“We believe a structure such as the BYOD Bill of Rights can be very helpful in creating an open dialogue between organisations and the individuals using personal devices and creating security policies that acknowledge the needs of both parties,” said Mike Malloy, executive vice president of products and strategy at Webroot. 

Speaking to SCMagazineUK.com, Malloy said that it was essentially a ‘trade-off' between employers and employees. 

“What we're proposing is that these concerns are valid – the employee has rights in terms of the device and the employer has the right to be protected. There needs to be a dialogue between the two,” he said, adding that Webroot had seen negative feedback on Mobile Device Management tools.

He continued that some firms are taking to Choose Your Own (CYOD) or Corporately Owned, Personally Enabled (COPE) schemes to improve mobile security, and said that smart companies are less concerned about the hardware. 

“We're seeing more that companies are moving to access control and security, leaving ownership and choosing of the device to the employee, but with the acknowledgement that local data can be wiped if they leave.” 

Richard Absalom, the lead enterprise mobility analyst at research outfit Ovum, is encouraged by the action for a Bill of Rights. 

“I like the BYOD Bill of Rights, [it] all makes sense. BYOD is a widespread behaviour that many businesses are yet to fully get to grips with, and these findings show that MDM software on its own is not the answer,” he told SCMagazineUK.com. 

“Other ways of securing and separating work from personal data may be more palatable for end users, and make it easier to comply with that Bill of Rights: for instance MAM or containerisation,” Absalom added. 

“But as ever, user requirements need to be balanced against security. If there are some users for whom BYOD is not suitable, businesses should be looking at different ways of getting them the devices and applications they need to make them more productive – perhaps through alternative forms of corporate provisioning such as CYOD or COPE.” 

Mobile device security has been a hot topic this week, not least in Silicon Valley where Google announced the acquisition of containerisation and dual-persona vendor Divide for an undisclosed sum.

Divide's technology aims to separate highly-sensitive business data from personal information, and questions have been raised about whether it will be integrated in Google's Android mobile operating system.