Click here to load reader
Upload
jonathan-ezor
View
261
Download
0
Embed Size (px)
DESCRIPTION
Presentation on BYOD risk management by Jonathan I. Ezor of the Touro Law Center for Innovation in Business, Law and Technology for the Corporation/ Banking & Securities Law Committee of the Nassau County Bar Association in Mineola, NY on October 8. 2013.
Citation preview
BYOD:Managing the Risks of Bring Your Own Device
PoliciesProf. Jonathan I. Ezor
DirectorTouro Law Center for Innovation
in Business, Law and [email protected]
Nassau County Bar AssociationCorporation/ Banking & Securities Law Committee
October 8, 2013
Wireless Devices Key to Modern
Business• Access to data• Communications
– Colleagues– Clients/Customers– Others
• Mobile workforce• 24/7/365 workcycle• Instant responsiveness demands
Challenges of Mobile Implementation
• Cost• Platform choice• Updates/Upgrades• Training• Support• Vendor changes (e.g. Blackberry)
BYOD: Leveraging Employee Choices
• Employees increasingly buying/updating personal devices
• May be more sophisticated than company standard
• Employees may cover some/all costs• Personal familiarity may reduce training need• Major platforms increasingly interoperate
Balancing BYOD Benefits and Risks
• BYOD not without risks, including– Employee-driven vs. mission-driven– Complexity and cost of support– Software and licensing– Security– Confidentiality– Personal vs. professional– Compliance– Litigation
• Must balance risks with [email protected]
• Choice of approved devices should reflect business needs– IT platform– Applications & functionality– Security
• Employee requests can conflict• Failure to support owned devices can undermine
BYOD intention• Consumer devices for business purposes
Employee-Driven Vs. Mission-Driven
Complexity And Cost Of Support
• Diversity of hardware/OSes means almost unlimited potential support obligation
• Everything from setup to chargers to software• Employees may expect or demand support from
IT staff• Refresh cycle a factor as well
Software and Licensing
• Organization’s software may include licensing restrictions– Enterprise vs. personal devices– Number of total/concurrent users– Expiration of licenses/versions/support
• Older licensed software may not support new mobile platforms
• Need to consider existing licenses, negotiate new ones with BYOD in mind
• Interoperability of software also a factor
Security• Multiple potential security breach vectors on
mobile devices– Malware– Insecure WiFi– Unencrypted connections– Utilities– Older versions of OS
• Consumer devices may offer fewer security options than business-specific ones
• Some devices support VPN, push profiles for security settings
Confidentiality• Every mobile device a potential data breach
channel– Mass storage– Lost/stolen devices– Backups
• Employees may share devices with family, others• Use may violate NDAs, regulatory/legal
requirements• Risks of accidental breaches
– GPS– EXIF data– Social media
Personal Vs. Professional
• Boundaries always a problem for mobile workforce
• Use of personal devices exacerbates challenges• Harder to establish, enforce limitations on
personal use• Labor laws also potentially involved
http://ezor.org/a7k4n
Allen v. Chicago
Compliance
• Requirements may not exclude personal devices– Document/correspondence retention– Security– Privacy– Tax
• Auditors, enforcement officials may require access to employee devices
• Also more difficult to change practices for new/changed regulations
Litigation
• Discovery requests may/should include employee devices
• True of home computers as well as BYOD• Holds, deletion policies also face challenges• Shared devices also an issue• Employees may be uncomfortable opening
personal equipment to scrutiny
Risk Management for BYOD
• Implementation must include awareness, management of risks
• Involve all stakeholders– IT– Legal– Finance– Operations– HR– Employees
• Plan, budget for training and support• Communicate decisions and rationale to all
• Written policy on supported devices/platforms/uses• IT infrastructure chosen/configured to enhance security as
well as convenience• Educational materials for most-common devices
– Setup– Security– Remote wiping– Encryption
• Ongoing review of implementation, issues• Verify insurance and other risk management coverage
Best Practices for BYOD