The Risks of Staff Using Personal Devices for Work
As more employees use their personal mobile devices for work companies are being forced to confront the resulting security implications as well as how the devices are changing behaviors in the workplace.
That’s according to a report by Littler Mendelson, an international law firm specializing in employment and labor law. The report highlights the dangers and benefits of allowing employees to use their personal devices at work.
As more people buy smart phones and tablet computers and bring them to work to use to perform company tasks, businesses have responded by implementing policies that allow employees to use their personal mobile devices to create, store, and transmit work-related data.
This trend is generally referred to as "Bring Your Own Device" or BYOD. Some companies even allow employees to replace their work laptop computer with their own personal PC, which is sometimes referred to as BYOC.
The report highlights two broad categories of risks personal devices in the workplace pose: data risks and behavioral risks.
Data Risks
The report looked at five information security threats posed by BYODs:
Lost or stolen devices – According to study by the Ponemon Institute, 39% of respondents reported that their organizations had sustained a data security breach in 2011 as a result of lost or stolen equipment. Put simply, if your employees use their personal mobile devices for work, your company data is at risk if they lose their gadget.
Malware – In February 2012, Juniper Networks reported a 155% increase from 2010 to 2011 in the volume of malicious software created for mobile devices, and malware targeting the Android platform rose 3,325%.
Friends and family – A report by the U.S. Treasury Department's Financial Crimes Enforcement Network found that in 27.5% of suspicious activity reports filed by depository institutions between 2003 and 2009, the identity theft victim knew the suspected thief, who was usually a family member, friend, acquaintance, or an employee working in the victim's home.
Links to the cloud – A number of apps for mobile devices allow users to store their documents and data using cloud-based storage, the report states. Employers must evaluate whether the sites provide sufficient security if the employee plans to store company information using the apps.
Security breach – If you have a breach in security, it could expose your company to government enforcement actions, civil penalties and litigation. There are both federal and state-level statutes and regulations on the books that govern storage of personal information in addition to contractual obligations, which increasingly are including responsibilities to safeguard against data breaches and the consequences for failing to do so.
Behavior issues
There is another downside that has not been much discussed. In the 2011 National Business Ethics Survey, the Ethics Resource Center reported that active social networkers (employees who spend 30% or more of their work day participating on various social network sites) are more likely to believe that certain questionable behaviors are acceptable, such as:
“Friending” a client or customer.
Blogging or tweeting negatively about your company or colleagues.
Keeping a copy of confidential work documents in case they need them in their next jobs.
Taking a copy of work software home for use on their personal computers.
In addition:
Wage and hour implications can arise from using a mobile device to conduct work while off the clock.
Both state and federal laws require employers to reimburse employees for expenses that arise in the course of doing their jobs. Once employees are using their own devices it raises questions of whether the employer is required to reimburse for the cost of the device, the data plan and monthly phone bill.
Littler Mendelson includes in its report a slew of recommendations for employers. When drawing up policies on BYODs, the employer should:
Decide which employees should be permitted to participate in a BYOD program. You may want to exclude senior executives whose data is more likely to be relevant in litigation, research and development employees and sales staff, who may store client information on their devices.
Create policies that address off-the-clock work.
Staff should know that if they BYODs the company must be authorized to access their devices for record retention or litigation holds or investigations.
Before allowing employees to use dual-use devices to perform work, companies should obtain their written consent to monitor the device, remotely wipe the device, install security software and copy data if necessary.
Follow good security practices.
Create policy barring friends or family from using the device.
Create a policy limiting the use of cloud-based storage.
Address safety issues, including a prohibition using the device while driving.
Your policy should include consequences for non-compliance.