- Forrester Councils
- Councils Overview
- log in
Posted by David Johnson on January 13, 2014
While the consumerization of IT marches on, in its footsteps lurks the specter of unknown risk. We live in a world of zero-sum games of litigation where suffocating regulations are the norm, and failure to comply can draw millions in fines and lawsuits. Technology diversity multiplies the challenge of maintaining compliance — it’s no wonder so many IT shops take a one-size-fits-all approach to workforce computing and forbid bring-your-own-device (BYOD). But it doesn't have to be this way. It’s possible to craft an approach that brilliantly achieves the conflicting goals of embracing BYOD and consumerization while slashing the risks and costs at the same time. Our recent research on the topic comes from working with lawyers and auditors who specialize in technology law and compliance reveals that it can indeed be done.
You Still Have to Act But the Cure is Often Worse Than the Disease
The technology attorneys we interviewed for this research agree — once you learn that BYOD is happening in your organization, you have a legal obligation to do something about it, whether you have established industry guidance to draw on or not. The answer is seemingly simple: Take action to stamp out the risk. However, the answer isn't that straightforward because:
Top BYOD Risks Include Intellectual Property Misuse, Accidental Data Loss
Intellectual property law violations can have especially severe repercussions. Patent, trademark, and copyright infringement are all very common but very difficult, if not impossible, to police with technical controls. For example, the willful and illegal misuse of someone else's property — misappropriation — sometimes comes into play when software is in use for business that isn't properly licensed and the attorneys can demonstrate that employees knew it and still continued to use it anyway. According to the law, not only can the firm be liable for past licensing fees, it can also owe damages equivalent to the value of every sale made after the first violation using the unlicensed software. Charles F. Luce Jr., partner at Moye White in Denver, says that the legal exposure of a firm is the same regardless of who owns the device.
Formal BYOD Guidance Is Immature And Open To Interpretation
Chris Gray, practice manager for Accuvant's risk and compliance business, says that regardless of who owns the device, when it's used in a regulated business, in theory it needs to adhere to the same regulations and industry standards as company-owned equipment. But he also notes that specific guidance for BYOD mobile device policies and technical controls are practically nonexistent. IT pros should also know that:
Clear Policy And Education Form The Proper Foundation
Relying on technical controls alone is not effective, so effective BYOD governance starts with a clear policy and education. A signed BYOD agreement with each employee, along with adequate education on the risks and employees' responsibilities, are the absolute minimum. But electronically enforcing policies for employees incapable or unwilling to do their part is wise.
Take a Holistic Approach With Your BYOD Enablement Strategy
A viable BYOD strategy addresses culture, responsibilities, education, policy, and technical controls. It recognizes the value that BYOD brings to employee engagement and performance and features a clear agreement between the organization and each BYOD employee that outlines what each is responsible for. Technology's role is to help foster safe behaviors, control information access, and verify ongoing compliance — all without getting in the way of creativity, productivity, collaboration, or other daily activities.
Create a technology approach that promotes engagement while enforcing the policy. In most cases, this means keeping employee-owned devices off of the corporate trust network while allowing access to information through secure proxies and interfaces. In regulated environments, it also means sensitive data is never stored on employee-owned devices, but in less stringent environments, it can mean simply controlling access to systems of record such as customer databases to prevent anyone from walking away with a data dump. Firms doing this well know a lot about the nuances of a wide range of technologies and develop capabilities for offering a wide range of services and access.
For those of you responsible for BYOD programs where you work, what do you think? What are you learning as you work with legal and audit teams?
Lead BT Transformation
Develop customer-obsessed strategies to drive growth »
Forrester's CX Index
Predict how actions to improve CX will affect revenue performance.
Measure the customer experiences that matter most »