10-8-13 BYOD Risk Presentation for Nassau County Bar Committee

475 views
382 views

Published on

Presentation on BYOD risk management by Jonathan I. Ezor of the Touro Law Center for Innovation in Business, Law and Technology for the Corporation/ Banking & Securities Law Committee of the Nassau County Bar Association in Mineola, NY on October 8. 2013.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
475
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

10-8-13 BYOD Risk Presentation for Nassau County Bar Committee

  1. 1. BYOD: Managing the Risks of Bring Your Own Device Policies Prof. Jonathan I. Ezor Director Touro Law Center for Innovation in Business, Law and Technology jezor@tourolaw.edu Nassau County Bar Association Corporation/ Banking & Securities Law Committee October 8, 2013
  2. 2. Wireless Devices Key to Modern Business • Access to data • Communications – Colleagues – Clients/Customers – Others • Mobile workforce • 24/7/365 workcycle • Instant responsiveness demands jezor@tourolaw.edu
  3. 3. Challenges of Mobile Implementation • Cost • Platform choice • Updates/Upgrades • Training • Support • Vendor changes (e.g. Blackberry) jezor@tourolaw.edu
  4. 4. BYOD: Leveraging Employee Choices • Employees increasingly buying/updating personal devices • May be more sophisticated than company standard • Employees may cover some/all costs • Personal familiarity may reduce training need • Major platforms increasingly interoperate jezor@tourolaw.edu
  5. 5. Balancing BYOD Benefits and Risks • BYOD not without risks, including – Employee-driven vs. mission-driven – Complexity and cost of support – Software and licensing – Security – Confidentiality – Personal vs. professional – Compliance – Litigation • Must balance risks with rewards jezor@tourolaw.edu
  6. 6. jezor@tourolaw.edu • Choice of approved devices should reflect business needs – IT platform – Applications & functionality – Security • Employee requests can conflict • Failure to support owned devices can undermine BYOD intention • Consumer devices for business purposes Employee-Driven Vs. Mission-Driven
  7. 7. jezor@tourolaw.edu Complexity And Cost Of Support • Diversity of hardware/OSes means almost unlimited potential support obligation • Everything from setup to chargers to software • Employees may expect or demand support from IT staff • Refresh cycle a factor as well
  8. 8. jezor@tourolaw.edu Software and Licensing • Organization’s software may include licensing restrictions – Enterprise vs. personal devices – Number of total/concurrent users – Expiration of licenses/versions/support • Older licensed software may not support new mobile platforms • Need to consider existing licenses, negotiate new ones with BYOD in mind • Interoperability of software also a factor
  9. 9. jezor@tourolaw.edu Security • Multiple potential security breach vectors on mobile devices – Malware – Insecure WiFi – Unencrypted connections – Utilities – Older versions of OS • Consumer devices may offer fewer security options than business-specific ones • Some devices support VPN, push profiles for security settings
  10. 10. jezor@tourolaw.edu Confidentiality • Every mobile device a potential data breach channel – Mass storage – Lost/stolen devices – Backups • Employees may share devices with family, others • Use may violate NDAs, regulatory/legal requirements • Risks of accidental breaches – GPS – EXIF data – Social media
  11. 11. jezor@tourolaw.edu Personal Vs. Professional • Boundaries always a problem for mobile workforce • Use of personal devices exacerbates challenges • Harder to establish, enforce limitations on personal use • Labor laws also potentially involved
  12. 12. http://ezor.org/a7k4n
  13. 13. Allen v. Chicago
  14. 14. jezor@tourolaw.edu Compliance • Requirements may not exclude personal devices – Document/correspondence retention – Security – Privacy – Tax • Auditors, enforcement officials may require access to employee devices • Also more difficult to change practices for new/changed regulations
  15. 15. jezor@tourolaw.edu Litigation • Discovery requests may/should include employee devices • True of home computers as well as BYOD • Holds, deletion policies also face challenges • Shared devices also an issue • Employees may be uncomfortable opening personal equipment to scrutiny
  16. 16. jezor@tourolaw.edu Risk Management for BYOD • Implementation must include awareness, management of risks • Involve all stakeholders – IT – Legal – Finance – Operations – HR – Employees • Plan, budget for training and support • Communicate decisions and rationale to all
  17. 17. jezor@tourolaw.edu • Written policy on supported devices/platforms/uses • IT infrastructure chosen/configured to enhance security as well as convenience • Educational materials for most-common devices – Setup – Security – Remote wiping – Encryption • Ongoing review of implementation, issues • Verify insurance and other risk management coverage Best Practices for BYOD
  18. 18. Professor Jonathan I. Ezor jezor@tourolaw.edu @ProfJonathan on Twitter Questions?

×