By Ryan Kalember, chief product officer, WatchDox
BYOD (bring your own device) requires different ways of addressing data security. Ryan Kalember of WatchDox gives advice — and some warnings — about BYOD policies and potential vulnerabilities
Q: In your opinion, what is the biggest threat to data security when an organization has a BYOD program?
One of the biggest security threats is loss of control over files or content. No firm, whether it is a mom-and-pop retail store or the largest entertainment studio, wants its sensitive data leaked to the wrong party. The risk of file breaches — whether inadvertent or deliberate — should be dealt with proactively by IT departments.
Many companies believe that by implementing mobile device security, the risk of data loss is diminished. However, that only works if IT has control over each end point. What if an employee decides to download a file on his personal phone to view over the weekend or while on vacation? He can easily thwart the security policy and actions of the IT department or service provider. Rather than being concerned about securing the individual device, IT should look at the problem from a data-centric view and protect files while they are at rest and in transit. Then, regardless of who accesses the content and on which device, the security is in place to prevent a data breach.
Q: How can companies educate their employees about minimizing data security risks?
Educating employees begins with clear communication that can be in the form of a mobile device usage and file-sharing policy. It is important to have written policies in place so employees are clearly informed about the impact of using their personal devices to access content. However, a policy cannot be successful on its own. IT departments must also leverage technology solutions to enhance these policies and to easily track who is accessing the data and from which devices. By educating employees in writing and implementing a technology auditing solution, IT managers can take proactive steps to minimize data security risks.
Q: What measures can companies take to deal with lost or stolen devices, non-compliant employees, or the use of shadow IT?
Regardless of BYOD policies and mobile device solutions, companies should consider implementing data-centric security measures. They also need to make sure that the technology they deploy to protect data is easy to use so employees are not driven to find alternative solutions beyond the IT department’s control. For instance, if the mobile device management (MDM) solution takes the employee through several steps before he can gain file access, and then he needs a second application to edit a document, it’s likely that the employee will circumvent the solution and use his personal solution of choice. That shadow IT application is most likely a box-like platform that is easier to use but only has minimal security settings. The file is now outside of IT’s control and could be distributed to competitors or wind up posted on several Internet sites, resulting in a data breach.
However, if IT departments provide an easy-to-use method for sharing and editing content across devices, such as that offered by enterprise file-sync-and-share (EFSS), the chance of an employee using a rogue or less secure application diminishes. The data-centric solution should also provide the option to revoke access to files at any time to account for the possibility of lost or stolen devices or an employee who leaves the company, but still may have intellectual property stored on his personal device. The key is that IT departments remain in control of the data wherever it travels, rather than just securing “the box” or individual device.
Ryan Kalember is the chief product officer at WatchDox, a provider of secure mobile productivity and collaboration solutions that enable the confidential sharing of important or sensitive files in an easy and secure way.