Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
WHITE PAPER                        Practical Steps Toward Ensuring                           Compliance in a BYOD WorldON ...
Practical Steps Toward                                                                                              Ensuri...
Practical Steps Toward                                                                                             Ensurin...
Practical Steps Toward                                                                                             Ensurin...
Practical Steps Toward                                                                                                  En...
Practical Steps Toward                                                                                               Ensur...
Practical Steps Toward                                                                                                  En...
Practical Steps Toward                                                                                               Ensur...
Practical Steps Toward                                                                                            Ensuring...
Practical Steps Toward                                                                                                    ...
Upcoming SlideShare
Loading in …5

The Challenges of BYOD in Your Corporation


Published on

The Bring Your Own Device (BYOD) trend started several years ago for business managers who had personal devices that they wanted supported by IT. However, today BYOD has become a widespread and critical issue for IT departments because of the number and diversity of devices they must support and the risks created by BYOD. This document covers the steps to ensure compliance and reduce the risk.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The Challenges of BYOD in Your Corporation

  1. 1. WHITE PAPER Practical Steps Toward Ensuring Compliance in a BYOD WorldON An Osterman Research White Paper Published November 2012 SPONSORED BY sponsored by SPON sponsored by Osterman Research, Inc. P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • •
  2. 2. Practical Steps Toward Ensuring Compliance in a BYOD WorldEXECUTIVE SUMMARYOne of the most important trends to impact organizations of all sizes – butparticularly mid-sized and large organizations – is for employees to use their ownsmartphones and tablets to access corporate applications. The Bring Your OwnDevice (BYOD) trend was started several years ago, normally on a case-by-case basisfor senior executives who had personal devices that they wanted supported by IT.Today, BYOD has become widespread and is now a critical issue for IT departmentsin organizations of all sizes not only because of the number and diversity of devicesthey must support, but also because of the risks that BYOD creates:• The difficulty of satisfying the growing number of regulatory and legal obligations imposed on organizations regardless of the industry.• Managing the mix of corporate and personal data contained on personally owned devices.• Addressing the greater risk imposed by BYOD, such as compliance violations and data breaches when devices are lost, policy violations when outbound content is not filtered, and the greater likelihood of malware entering the corporate network.As a result, organizations must mitigate the risk associated with the growing trendtoward BYOD by implementing appropriate policies and deploying technologies that We found thatwill address the specific problems created by BYOD. personally ownedABOUT THIS WHITE PAPER smartphones areThis white paper was sponsored by MobileGuard – information about the company is used in 40% ofprovided at the end of this document. small organizations, in 32% of mid-sizedBYOD CREATES MANAGEMENT CHALLENGES organizations, andThe accelerating trend toward BYOD is exactly what its name implies: the growing in 27% of largetrend for employees to use personally owned smartphones, tablets, laptops and otherplatforms to access corporate applications like email, databases, various applications, enterprises.public cloud-based applications and other tools; and to create, store and managecorporate data using these devices. For example, Osterman Research has found thatbusiness email and Web browsing are the most commonly used business tasks forwhich mobile devices are used (employed by 99% and 93% of users, respectively),but use of personal social media, corporate social media, SMS/text messaging, instantmessaging chat and storage of business-related documents are also commonly used.In particular, real time messaging, such as instant messaging, is widely used byfinancial and energy traders.Osterman Research has found that BYOD is pervasive across organizations of allsizes, but particularly in smaller organizations, as shown in the following table.Penetration of Personally Owned Devices Mid-Size Small Orgs Orgs (100- Large Orgs (Up to 99 999 (1,000+ Device employees) employees) employees) Smartphones 40% 32% 27% Tablets 28% 18% 16%©2012 Osterman Research, Inc. 1
  3. 3. Practical Steps Toward Ensuring Compliance in a BYOD WorldThe widespread nature of BYOD is also borne out by other research organizations.For example:• An Aberdeen Group study found that 75% of companies permit BYODi.• A Research and Markets study found that 65% of enterprises worldwide will adopt BYOD to some extent by the end of 2012ii.• Some companies are migrating to a completely BYOD approach, such as Cisco, where 100% of all mobile devices are provided by employees and not the company itselfiii.• Equanet reports that 71% of tablets used in a business setting are employee- ownediv.CRITICAL PROBLEMS WITH BYODThere are a number of problems associated with the unmanaged use of personallyowned devices in a corporate context:• Regulatory requirements can be violated A key issue is firms registered with FINRA and the SEC are required to archive and monitor communications via smartphone. For example, FINRA Regulatory Notice 07-59v states “…a firm should consider, prior to implementing new or different methods of communication, the impact on the firm’s supervisory Data on system, particularly any updates or changes to the firm’s supervisory policies and personally owned procedures that might be necessary. In this way, firms can identify and timely address any issues that may accompany the adoption of new electronic devices is more communications technologies.” In the United Kingdom, the Financial Service difficult to Authority (FSA) issued Policy Statement 08/1 that requires recording of both voice and electronic communications in the context of public and enterprise archive because instant messaging solutions. some of it is• A mix of corporate and personal data stored on the BYOD adds significant complication to corporate data management because mobile devices personally owned devices contain a mixture of corporate data, such as email and application data, and personal data like photos and Facebook posts. This themselves, not situation creates a number of challenges for IT departments focused on the necessarily on legality of searching through personal content for corporate information, employee privacy rights, and just the sheer logistics of managing data on mobile the backend devices. servers that are• An increased likelihood of data breaches operated by IT. BYOD can increase the likelihood that sensitive or confidential corporate information will be breached. Researchers in a UK-based study acquired 49 mobile devices that had been resold through secondary markets; forensic examination of the devices resulted in the discovery of information on every device and a total of more than 11,000 pieces of information collectively from all of the devicesvi.• An inability to remotely wipe devices Most personally owned devices cannot be remotely wiped if they are lost, leading to a much greater likelihood of data breaches and loss of intellectual property. In organizations with at least 100 employees, we found that 69% of company- owned smartphones can be remotely wiped if they are lost, but only 24% of personally owned smartphones can be wiped. Similarly, 54% of company-owned tablets can be remotely wiped versus only 21% of personally owned tablets.• Lack of outbound content filtering The use of personally owned devices will normally bypass outbound content filtering systems, resulting in potentially more violations of corporate and©2012 Osterman Research, Inc. 2
  4. 4. Practical Steps Toward Ensuring Compliance in a BYOD World regulatory policies focused on encrypting sensitive content or preventing disclosure of confidential information.• Malware incursion Personally owned devices used to create, access and store corporate data will typically bypass inbound content filtering systems that have been deployed by IT. One result of this is a potentially greater likelihood for malware intrusion. Osterman Research found that 44% of company-owned smartphones and 38% of company-owned tablets can be scanned for malware; the figures for personally owned smartphones and tablets are dramatically lower at 10% and 9%, respectively.IT DEPARTMENTS DO NOT HAVE THE CONTROL THEY HAVEWITH TRADITIONAL SYSTEMSThere are a growing number of challenges that IT departments face when attemptingto manage personally owned mobile devices, not least of which is the fact that ITtypically can exercise less control over how these devices are used. Here are anumber of issues:• Archiving is much more difficult Data on personally owned devices is more difficult to archive because some of it is stored on the mobile devices themselves, not necessarily on the backend It is vital that IT be servers that are operated by IT. able to manage• Monitoring content is more difficult content properly. Monitoring content sent from and received by mobile devices is much more difficult than it is from a conventional desktop infrastructure. Because various This includes not only types of communications must be closely monitored in financial services, energy, traditional forms of healthcare and other industries, users on mobile devices represent a significant liability simply because their content cannot be easily monitored. This means communication like that legal and regulatory violations are easier to commit, which can lead to email, but also social adverse legal judgments and regulatory sanctions. media posts, instant• Users are more autonomous messages, text Mobile users tend to be more independent from IT’s control because they are messages and even outside of the office and so IT cannot control how devices are used. Users will often connect to carrier-provided networks to access the Web or email, they will voice commun- connect to local Wi-Fi hotspots in coffee shops and hotels, and so forth. The ications. result is that IT does not control their users’ mobile Web or email experience to nearly the same degree as when users are in an office environment.• Compliance is more difficult According to an Osterman Research survey, nearly two in five organizations finds managing policies for e-discovery or regulatory compliance to be difficult or very difficult, while 35% find managing other types of policies to be this difficult. Managing mobile policies for issues like e-discovery and regulatory compliance is slightly more difficult than managing other types of policies. Larger organizations, in particular, have a more difficult time with compliance and e- discovery policies. The survey found that nearly one-half of respondents indicated that managing such policies were either “difficult” or “very difficult”.• The environment is more diverse The normal desktop infrastructure consists of mostly Windows machines and possibly some Macs and maybe a few Linux machines. The typical BYOD environment, on the other hand, is much more diverse, typically consisting of iPhones, Android smartphones, iPads, Windows phones, BlackBerry devices, and other platforms. Further complicating the management of this environment is that there are multiple versions of the operating systems in use, each of which can provide users with slightly different capabilities.©2012 Osterman Research, Inc. 3
  5. 5. Practical Steps Toward Ensuring Compliance in a BYOD WorldCONTENT MUST BE MANAGED PROPERLYPersonally owned smartphones and tablets contain a significant proportion ofcorporate data. Osterman Research has found that more than five percent ofcorporate data is stored just on users’ smartphones – we expect this figure to soarduring the next 24 months as iPads and other tablets are employed in much largernumbers. Employee-owned and controlled devices make access to this data bycorporate IT or compliance departments much more difficult, such as during an e-Discovery exercise. This is not only because of the difficulty that might beencountered in physically accessing these devices, but also because of the potentialprivacy and other legal issues that are raised by companies accessing theiremployees’ personal property.It is vital that IT be able to manage content properly. This includes not onlytraditional forms of communication like email, but also text messages, instantmessages, social media and even voice communications.From a practical standpoint, IT’s insight into what data is available on personallyowned mobile devices becomes more difficult when devices – and the corporateproprietary information on them – is under the sole control of the employees. This isparticularly problematic for legal counsel and others that must assess the informationthat the organization has available to it during e-Discovery, early case assessments,legal holds and similar types of litigation-related activities. Moreover, the likelihood ofspoliation of content stored on personally owned devices is much greater simplybecause it is not controlled by the IT or compliance department. Add to this the Organizationsproblem of corporate e-Discovery revealing employees’ personal information, as well must archive allas the opposite problem of corporate data being revealed when employees areinvolved in personal litigation. relevant communicationsWith regard to legal holds – i.e., when data that might be required in a legal actionmust be held back from the normal deletion cycle or from users’ arbitrary deletion – it and other contentis imperative that an organization immediately be able to retain all relevant data, on personallysuch as emails, SMS/text messages and instant messaging chats sent from seniormanagers to specific individuals or clients. Placing a hold on data when stored on owned devices inpersonally owned devices may be more difficult than it is for traditional systems – the same wayand much more difficult when it is located on devices that are under the control andownership of individual employees. that content is archived onTHE ULTIMATE GOAL SHOULD BE TO MITIGATE RISK employer-The bottom line is that organizations must mitigate the risks associated with BYOD tothe greatest extent possible. This means that organizations must do three basic supplied devices.things:• Increase the level of control they exercise over personally owned devices and modes of communication when used for organizational purposes. This control must be focused on protecting the organization from regulatory, legal and other problems that can arise when personally owned tools are used outside of the direct control of IT.• Archive all relevant communications and other content on personally owned devices in the same way that content is archived on employer-supplied devices.• Monitor communications and content to ensure that corporate policies are followed, regardless of the platform that an employee uses to do their work. Moreover, there needs to be consistency between the policies applied to employees’ desktop experience and those on their mobile devices – in other words, corporate policy management should not be different based solely on the device that an employee chooses to use.©2012 Osterman Research, Inc. 4
  6. 6. Practical Steps Toward Ensuring Compliance in a BYOD WorldWHAT SHOULD ORGANIZATIONS DO?DON’T TRY TO STIFLE BYODMany decision makers, when faced with the growing number and severity problemsassociated with BYOD, may decide that the practice should be stopped throughcorporate edict. For example, implementing draconian controls that will all buteliminate – or at least attempt to eliminate – the use of personally owned devices andemployee-managed applications for work-related purposes may be viewed as onesolution to the BYOD problem. While some decision makers may adopt this approachto protect corporate data assets or reduce the potential for malware infiltration, thereare three reasons to opt for more open, rather than more restrictive, BYOD-relatedattitudes:• Draconian controls will probably not be successful When face with a corporate edict to eliminate use of personal devices or applications, many employees will do so under the radar, particularly the growing proportion of employees who work from home at least one day per week. For organizations that opt to lean toward eliminating consumer-grade options, an easy-to-use, secure and IT-sanctioned alternative must be provided. Employee productivity will suffer• It is also important to understand that the vast majority of employees do not use There are a their own devices or applications simply for the fun of it – they are doing so to number of be more productive, to bypass IT restrictions (e.g., email file-size limits) that prevent them from being effective in their work, or because they have found a obligations that way to be more efficient at no charge to their employer. To issue an edict that firms in the prevents employees from using these tools will likely be counterproductive to the interests of both management and employees. financial services and other heavily Improved competitive advantage• As a corollary to the point above, the use of personally owned mobile devices regulated can significantly improve an organization’s competitive edge by making industries must employees more responsive and more available to customers, co-workers, satisfy with business partners and others. This can provide a significant advantage in some cases compared to the status quo of waiting to come into the office the next regard to morning to respond to customer inquiries, etc. monitoring andUNDERSTAND THE REQUIREMENTS retention andThere are a number of obligations that firms in the financial services and other protection ofheavily regulated industries must satisfy with regard to text message monitoring andretention and protection of content, including: content.• SEC Rule 17a-3: requires production of records• SEC Rule 17a-4: requires retention of records• FINRA Rules 3010, 3113: requires supervision and retention of records• Investment Adviser’s Act Rule 204(2) requires maintenance of records• FINRA Regulatory Notice 11-39: provides guidance for use of personally owned devices that contain corporate information.• FINRA Regulatory Notice 10-06: provides guidance for use of Web 2.0• FINRA Regulatory Notice 10-59: requires encryption of content on portable media devices• FINRA Regulatory Notice 07-59: provides guidance for review and supervision of electronic communications©2012 Osterman Research, Inc. 5
  7. 7. Practical Steps Toward Ensuring Compliance in a BYOD World• The Health Insurance Portability and Accountability Act (HIPAA) requires Protected Health Information (PHI) to be sent securely to prevent its access by unauthorized parties.• Sarbanes-Oxley, which applies to most publicly owned corporations, imposes a variety of requirements for retention of content, such as communications between senior executives, auditors and others involved in managing financial and other corporate records.• FERC Order 717: requires retention of various types of communication, including instant messaging, for five years.• FERC Part 125: imposes retention periods for records maintained by public utilities and others.In addition to these, there are a variety of other requirements that focus on themonitoring, retention and/or production of data, including the Gramm-Leach-BlileyAct, various data breach laws in 46 of the 50 US states, and the Federal Rules of Civil It is criticallyProcedure. Moreover, individual states have their own procedures for managing civillitigation, many of which have been updated to reflect the growing quantity of important thatelectronic information that organizations manage. organizationsIMPLEMENT POLICIES faced with theIt is critically important that organizations faced with the BYOD problem implement BYOD problempolicies that are focused on acceptable use of devices and applications, perhapscreating a list of approved devices, operating systems, applications and other implementpersonally owned or managed solutions. These policies should be detailed and policies that arethorough, and should be included as part of an organization’s overall acceptable usepolicies that are focused on use of corporate computing resources. focused on acceptable use ofA key element of these policies as they apply to mobile devices should be that: devices and• All communication on the mobile device such as SMS/text messaging should be applications, monitored and archived as per guidance issued by FINRA in Regulatory Notice perhaps creating 07-591. a list of approved• All devices in use can be remotely wiped by the IT department in the event of devices, oper- their loss. ating systems,• All devices that contain corporate content should be encrypted to prevent the applications and loss of sensitive data or intellectual property. other personally• Corporate policies focused on employee-managed applications should include owned or requirements for the encryption of data if stored in a third party’s cloud data center. managed solutions.IMPLEMENT THE RIGHT TECHNOLOGIESAlthough enabling BYOD and implementing appropriate policies are important, it isessential that organizations also deploy the appropriate technologies that will enableIT departments to monitor the use of mobile devices when used for work-relatedpurposes and to archive the content stored on them. Any technology employed fortext message monitoring, archiving or otherwise managing the use of mobile devicesshould satisfy a number of criteria:• It should enable the use of personally owned mobile devices with as little interruption to the normal operation of these devices as possible. Solutions must be designed for the platforms that users employ most often, namely Android, BlackBerry and iPhone devices.1©2012 Osterman Research, Inc. 6
  8. 8. Practical Steps Toward Ensuring Compliance in a BYOD World• It should enable IT departments to archive and monitor all relevant content for purposes of regulatory compliance, legal obligations and other purposes. This should include email, text messages, instant messages and other content. It is important to the note that the iPhone is somewhat more difficult to monitor because of Apple’s primary focus on the consumer.• It should enable the search and retrieval of content on mobile devices easily.• Organizations should consider using a mobile device management system in order to manage applications and wipe or lock devices that are lost or stolen.• It should enable the information on the mobile devices to be encrypted.• It should not impose a significant cost for IT and should impose only a minimal requirement on IT’s management requirements. AlthoughSUMMARY enabling BYODThe BYOD phenomenon is here to stay: employees are increasingly opting to use thelatest and greatest smartphones and tablets and they are willing to pay for these and imple-devices themselves. While this can provide some immediate benefit to IT mentingdepartments that do not have to pay for these devices, there are seriousconsequences that can result, including violation of regulatory and legal obligations to appropriatemonitor communications, archive corporate content, encrypt content, and otherwise policies aremanage how corporate data is sent, received and stored. To mitigate these risks,every organization should implement the appropriate policies and technologies that important, it iscan satisfy their regulatory and legal obligations, and at the same time enable the use essential thatof personally owned devices for work-related purposes. organizations also deploy theABOUT MOBILEGUARD appropriateMobileGuard is the leading provider of mobile communication monitoring and technologies thatarchiving solutions which ensures compliance with the rules and mobile regulations ofall relevant regulatory bodies. MobileGuard’s Mobile Compliance solutions provide will enable ITSMS monitoring, capturing, logging, archiving, management, supervision and alerting departments toof all communication on company mobile devices. The MobileGuard solutions are: monitor the useMessageGuard™ - Provides a complete solution for the capture, monitoring, and of mobile devicesarchiving of SMS, MMS, IM, BlackBerry Messenger and BlackBerry PIN-to-PINmessages sent from mobile devices. All text messages are identified, collected, and when used forarchived in a format that is easily accessible, allowing companies to establish work-relatedmeaningful internal compliance policies regarding mobile devices and to meetcompliance mandates from all relevant regulatory agencies. MessageGuard presently purposes and tosupports Android, Blackberry and Windows Mobile operating systems and is available archive theas a hosted or on-premises solution. content stored onVoiceGuard™ - Enables companies to record and archive call conversations and voice them.mails from mobile devices, providing a compliance and risk management solution foryour mobile workforce. The recording of mobile voice calls is a mandatory FSAregulation and compliance is a logical next step in the regulatory process. Utilizingthe VoiceGuard solution as a core business practice demonstrates good governance,particularly in areas where client transactions are conducted by phone. WithVoiceGuard, all calls can be quickly retrieved and replayed to protect your businessoperations from potential false claims, interpretations, or misrepresentation.SafeChat™ - Provides enterprises with a secure chat application for employees’iPhones and other mobile devices so company instant messaging may be monitoredand archived. The SafeChat solution lowers the risk of compromised data, as well as©2012 Osterman Research, Inc. 7
  9. 9. Practical Steps Toward Ensuring Compliance in a BYOD Worldhelps company’s meet regulatory requirements. SafeChat securely captures images,spreadsheets, PDFs and other files so sensitive information remains proprietary.DeviceGuard™ - Presents companies with the ability to manage employees’ mobiledevices through a secure administrative console. Setting corporate policy, preventingsecurity breaches, policy controls, user provisioning and remote wipe/lock are someof the functionalities for securing the mobile workforce. The DeviceGuardmanagement solution gives employers control over devices so loss of data and/ormalicious applications cannot infiltrate your enterprise network. DeviceGuard will bereleased 2Q2013.All of the captured text, chat and voice information is available for review onMobileGuard’s Administrative console, which has robust monitoring, archiving andsearch capabilities. Enterprises can set automatic flagging of messages forcompliance and supervisory review based upon message content, recipients, and/orsenders. Our advanced search capabilities allow for quick and efficient retrieval ofmessages. With the administration console, managers of enterprise IT departmentshave an immediate web-based interface for the end users of mobile devices, whichprovides a single point of reporting for each mobile device. This console can providereal-time SMS/MMS messages, call logs, policy alerts, device/employee informationand device location for each device. In addition, MobileGuard supports ad reportingdelivered on demand for audit and e-discovery. All of MobileGuard’s solutions areeasily integrated with a company’s email archiving service so that all collectedinformation is available in one central location.For more information, contact MobileGuard at:MobileGuard1375 Broadway, Suite 600New York, NY 10018Phone: 646-536-5559Email: Info@MobileGuard.comWebsite:©2012 Osterman Research, Inc. 8
  10. 10. Practical Steps Toward Ensuring Compliance in a BYOD World© 2012 Osterman Research, Inc. All rights reserved.No part of this document may be reproduced in any form by any means, nor may it bedistributed without the permission of Osterman Research, Inc., nor may it be resold ordistributed by any entity other than Osterman Research, Inc., without prior written authorizationof Osterman Research, Inc.Osterman Research, Inc. does not provide legal advice. Nothing in this document constituteslegal advice, nor shall this document or any software product or other offering referenced hereinserve as a substitute for the reader’s compliance with any laws (including but not limited to anyact, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,“Laws”)) referenced in this document. If necessary, the reader should consult with competentlegal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes norepresentation or warranty regarding the completeness or accuracy of the information containedin this document.THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS ORIMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AREDISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BEILLEGAL.i around-slides/2671iv p037553.pdfvi Electronic Retention: What Does Your Mobile Phone Reveal About You?©2012 Osterman Research, Inc. 9