Almost everyone in Canada is using a smart phone. Recent statistics tell us that more than 80% of 18-34 year olds are using smart phones. For each prior generation, 35-44 and 45-54, that number only drops by 10%, and the projection is that at least 85% for all age ranges, and as high as 98% for 18-34 year olds, will be using smart phones by 2018.[1] Or, you can simply check the number of smart phone users when you see anyone having to wait for anything.

Our embrace of connectivity drove businesses to provide employees with company-issued mobile phones. Now there is another shift, where employees are increasingly expecting or expected to use their personal devices for work-related matters.

The surge in popularity of “bring your own device” (“BYOD”) programs is understandable given the readily apparent benefits: cost effectiveness, employee familiarity with their device of choice, potential for increased connectivity and productivity, etc. The availability of multi-platform “secure” apps for work purposes has also eased employers’ concerns about the security risks of employees using personal devices for work purposes.

For all of the potential benefits of the BYOD revolution, there are also risks associated with such programs.

What are the risks?

Phones are increasingly targets of malicious software designed to extract data. Phones will often hold private or confidential data, or be used to access private networks. Employees also have control over the administrative settings of their personal device, allowing them to configure the device and its settings, and install software applications—which may or may not be authorized and security cleared.

This is all complicated by the fact that the employee is using the device simultaneously for both personal and business purposes. Employees’ personal use may expose employers to security issues, while employers need to balance the employees’ right to privacy in their personal data with the employers’ need to safeguard the employers’ network and business information.

Further, the basic responsibility for software updates, patches and encryption, critical for maintaining appropriate control over sensitive information, are generally placed on the individual employee under BYOD programs. There is always at least one person who never updates their software, and this leaves the device, and the organization vulnerable.

Mitigating the risks

Employers in Canada have legal and fiduciary obligations to take all reasonable steps to ensure that the personal information they collect and retain, both of their customers and employees, is secure. A robust BYOD policy will ensure that all potential risk areas are covered, either through technology or procedural policy controls. In developing such a policy, employers should be sure to consider:

  • how business information will be stored on an employee’s personal device (e.g. through cloud based access, or partitioned drives);
  • how business information will be encrypted and protected if the device is compromised, or if the employee leaves the organization;
  • how personal devices will be authenticated for accessing an organization’s secure servers;
  • what the responsibilities and restrictions are for employees, regarding appropriate use, access controls, application management, which mobile platforms will be accepted, and software updates, among other things; and
  • what personal employee information the company may have access to (e.g. geo-location, personal photos, emails etc.) because of the BYOD program, how it will manage such access, and how it will access business information contained on an employee’s device, should it be required for legal proceedings.

Implementing the program

The risks associated with the implementation of a BYOD program will be unique to the specific organization. As a first step, employers may wish to conduct a privacy and risk assessment for the organization, identifying the nature and type of sensitive business information that may be exposed, and the degree of risk exposure if a BYOD program were implemented.

Developing materials and training IT managers and other employees on BYOD policies, best practices and technological requirements, are necessary steps to ensure that all employees are aware of and instructed to follow established protocols. These materials should emphasize the importance of not exposing sensitive business information through the use of personal devices.

Pilot programs can be an effective way of initiating such programs and building them out, allowing employers to determine the appropriate level of monitoring and incident reporting mechanisms necessary for their specific organization.

Existing BYOD programs should be reviewed on a regular basis to ensure that current technology is being utilized and all business information is adequately protected.