The Challenges of BYOD in Your Corporation

Document Sample
The Challenges of BYOD in Your Corporation Powered By Docstoc

                        Practical Steps Toward Ensuring
                           Compliance in a BYOD World
ON                                                An Osterman Research White Paper
                                                                      Published November 2012

                                                                                  SPONSORED BY

                 sponsored by

                   sponsored by
                                                                                  Osterman Research, Inc.
                                                P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA
                                  Tel: +1 253 630 5839 • Fax: +1 253 458 0934 •
                                                                                              Practical Steps Toward
                                                                                              Ensuring Compliance in a BYOD

One of the most important trends to impact organizations of all sizes – but
particularly mid-sized and large organizations – is for employees to use their own
smartphones and tablets to access corporate applications. The Bring Your Own
Device (BYOD) trend was started several years ago, normally on a case-by-case basis
for senior executives who had personal devices that they wanted supported by IT.
Today, BYOD has become widespread and is now a critical issue for IT departments
in organizations of all sizes not only because of the number and diversity of devices
they must support, but also because of the risks that BYOD creates:

•   The difficulty of satisfying the growing number of regulatory and legal obligations
    imposed on organizations regardless of the industry.

•   Managing the mix of corporate and personal data contained on personally owned

•   Addressing the greater risk imposed by BYOD, such as compliance violations and
    data breaches when devices are lost, policy violations when outbound content is
    not filtered, and the greater likelihood of malware entering the corporate

As a result, organizations must mitigate the risk associated with the growing trend
toward BYOD by implementing appropriate policies and deploying technologies that              We found that
will address the specific problems created by BYOD.                                           personally owned
ABOUT THIS WHITE PAPER                                                                        smartphones are
This white paper was sponsored by MobileGuard – information about the company is              used in 40% of
provided at the end of this document.
                                                                                              small organizations,
                                                                                              in 32% of mid-sized
BYOD CREATES MANAGEMENT CHALLENGES                                                            organizations, and
The accelerating trend toward BYOD is exactly what its name implies: the growing              in 27% of large
trend for employees to use personally owned smartphones, tablets, laptops and other
platforms to access corporate applications like email, databases, various applications,       enterprises.
public cloud-based applications and other tools; and to create, store and manage
corporate data using these devices. For example, Osterman Research has found that
business email and Web browsing are the most commonly used business tasks for
which mobile devices are used (employed by 99% and 93% of users, respectively),
but use of personal social media, corporate social media, SMS/text messaging, instant
messaging chat and storage of business-related documents are also commonly used.
In particular, real time messaging, such as instant messaging, is widely used by
financial and energy traders.

Osterman Research has found that BYOD is pervasive across organizations of all
sizes, but particularly in smaller organizations, as shown in the following table.

Penetration of Personally Owned Devices

                                   Small Orgs       Orgs (100-      Large Orgs
                                    (Up to 99          999           (1,000+
    Device                         employees)       employees)      employees)
    Smartphones                       40%              32%             27%
    Tablets                           28%              18%             16%

©2012 Osterman Research, Inc.                                                             1
                                                                                             Practical Steps Toward
                                                                                             Ensuring Compliance in a BYOD
The widespread nature of BYOD is also borne out by other research organizations.
For example:

•   An Aberdeen Group study found that 75% of companies permit BYODi.

•   A Research and Markets study found that 65% of enterprises worldwide will
    adopt BYOD to some extent by the end of 2012ii.

•   Some companies are migrating to a completely BYOD approach, such as Cisco,
    where 100% of all mobile devices are provided by employees and not the
    company itselfiii.

•   Equanet reports that 71% of tablets used in a business setting are employee-

There are a number of problems associated with the unmanaged use of personally
owned devices in a corporate context:

•   Regulatory requirements can be violated
    A key issue is firms registered with FINRA and the SEC are required to archive
    and monitor communications via smartphone. For example, FINRA Regulatory
    Notice 07-59v states “…a firm should consider, prior to implementing new or
    different methods of communication, the impact on the firm’s supervisory                 Data on
    system, particularly any updates or changes to the firm’s supervisory policies and       personally owned
    procedures that might be necessary. In this way, firms can identify and timely
    address any issues that may accompany the adoption of new electronic                     devices is more
    communications technologies.” In the United Kingdom, the Financial Service               difficult to
    Authority (FSA) issued Policy Statement 08/1 that requires recording of both
    voice and electronic communications in the context of public and enterprise              archive because
    instant messaging solutions.                                                             some of it is
•   A mix of corporate and personal data                                                     stored on the
    BYOD adds significant complication to corporate data management because                  mobile devices
    personally owned devices contain a mixture of corporate data, such as email and
    application data, and personal data like photos and Facebook posts. This                 themselves, not
    situation creates a number of challenges for IT departments focused on the               necessarily on
    legality of searching through personal content for corporate information,
    employee privacy rights, and just the sheer logistics of managing data on mobile         the backend
    devices.                                                                                 servers that are
•   An increased likelihood of data breaches
                                                                                             operated by IT.
    BYOD can increase the likelihood that sensitive or confidential corporate
    information will be breached. Researchers in a UK-based study acquired 49
    mobile devices that had been resold through secondary markets; forensic
    examination of the devices resulted in the discovery of information on every
    device and a total of more than 11,000 pieces of information collectively from all
    of the devicesvi.

•   An inability to remotely wipe devices
    Most personally owned devices cannot be remotely wiped if they are lost, leading
    to a much greater likelihood of data breaches and loss of intellectual property.
    In organizations with at least 100 employees, we found that 69% of company-
    owned smartphones can be remotely wiped if they are lost, but only 24% of
    personally owned smartphones can be wiped. Similarly, 54% of company-owned
    tablets can be remotely wiped versus only 21% of personally owned tablets.

•   Lack of outbound content filtering
    The use of personally owned devices will normally bypass outbound content
    filtering systems, resulting in potentially more violations of corporate and

©2012 Osterman Research, Inc.                                                            2
                                                                                             Practical Steps Toward
                                                                                             Ensuring Compliance in a BYOD
    regulatory policies focused on encrypting sensitive content or preventing
    disclosure of confidential information.

•   Malware incursion
    Personally owned devices used to create, access and store corporate data will
    typically bypass inbound content filtering systems that have been deployed by
    IT. One result of this is a potentially greater likelihood for malware intrusion.
    Osterman Research found that 44% of company-owned smartphones and 38%
    of company-owned tablets can be scanned for malware; the figures for
    personally owned smartphones and tablets are dramatically lower at 10% and
    9%, respectively.

There are a growing number of challenges that IT departments face when attempting
to manage personally owned mobile devices, not least of which is the fact that IT
typically can exercise less control over how these devices are used. Here are a
number of issues:

•   Archiving is much more difficult
    Data on personally owned devices is more difficult to archive because some of it
    is stored on the mobile devices themselves, not necessarily on the backend               It is vital that IT be
    servers that are operated by IT.
                                                                                             able to manage
•   Monitoring content is more difficult                                                     content properly.
    Monitoring content sent from and received by mobile devices is much more
    difficult than it is from a conventional desktop infrastructure. Because various
                                                                                             This includes not only
    types of communications must be closely monitored in financial services, energy,         traditional forms of
    healthcare and other industries, users on mobile devices represent a significant
    liability simply because their content cannot be easily monitored. This means
                                                                                             communication like
    that legal and regulatory violations are easier to commit, which can lead to             email, but also social
    adverse legal judgments and regulatory sanctions.
                                                                                             media posts, instant
•   Users are more autonomous                                                                messages, text
    Mobile users tend to be more independent from IT’s control because they are              messages and even
    outside of the office and so IT cannot control how devices are used. Users will
    often connect to carrier-provided networks to access the Web or email, they will         voice commun-
    connect to local Wi-Fi hotspots in coffee shops and hotels, and so forth. The            ications.
    result is that IT does not control their users’ mobile Web or email experience to
    nearly the same degree as when users are in an office environment.

•   Compliance is more difficult
    According to an Osterman Research survey, nearly two in five organizations finds
    managing policies for e-discovery or regulatory compliance to be difficult or very
    difficult, while 35% find managing other types of policies to be this difficult.
    Managing mobile policies for issues like e-discovery and regulatory compliance is
    slightly more difficult than managing other types of policies. Larger
    organizations, in particular, have a more difficult time with compliance and e-
    discovery policies. The survey found that nearly one-half of respondents
    indicated that managing such policies were either “difficult” or “very difficult”.

•   The environment is more diverse
    The normal desktop infrastructure consists of mostly Windows machines and
    possibly some Macs and maybe a few Linux machines. The typical BYOD
    environment, on the other hand, is much more diverse, typically consisting of
    iPhones, Android smartphones, iPads, Windows phones, BlackBerry devices, and
    other platforms. Further complicating the management of this environment is
    that there are multiple versions of the operating systems in use, each of which
    can provide users with slightly different capabilities.

©2012 Osterman Research, Inc.                                                            3
                                                                                                  Practical Steps Toward
                                                                                                  Ensuring Compliance in a BYOD

Personally owned smartphones and tablets contain a significant proportion of
corporate data. Osterman Research has found that more than five percent of
corporate data is stored just on users’ smartphones – we expect this figure to soar
during the next 24 months as iPads and other tablets are employed in much larger
numbers. Employee-owned and controlled devices make access to this data by
corporate IT or compliance departments much more difficult, such as during an e-
Discovery exercise. This is not only because of the difficulty that might be
encountered in physically accessing these devices, but also because of the potential
privacy and other legal issues that are raised by companies accessing their
employees’ personal property.

It is vital that IT be able to manage content properly. This includes not only
traditional forms of communication like email, but also text messages, instant
messages, social media and even voice communications.

From a practical standpoint, IT’s insight into what data is available on personally
owned mobile devices becomes more difficult when devices – and the corporate
proprietary information on them – is under the sole control of the employees. This is
particularly problematic for legal counsel and others that must assess the information
that the organization has available to it during e-Discovery, early case assessments,
legal holds and similar types of litigation-related activities. Moreover, the likelihood of
spoliation of content stored on personally owned devices is much greater simply
because it is not controlled by the IT or compliance department. Add to this the                  Organizations
problem of corporate e-Discovery revealing employees’ personal information, as well               must archive all
as the opposite problem of corporate data being revealed when employees are
involved in personal litigation.                                                                  relevant
With regard to legal holds – i.e., when data that might be required in a legal action
must be held back from the normal deletion cycle or from users’ arbitrary deletion – it           and other content
is imperative that an organization immediately be able to retain all relevant data,               on personally
such as emails, SMS/text messages and instant messaging chats sent from senior
managers to specific individuals or clients. Placing a hold on data when stored on                owned devices in
personally owned devices may be more difficult than it is for traditional systems –               the same way
and much more difficult when it is located on devices that are under the control and
ownership of individual employees.                                                                that content is
                                                                                                  archived on
THE ULTIMATE GOAL SHOULD BE TO MITIGATE RISK                                                      employer-
The bottom line is that organizations must mitigate the risks associated with BYOD to
the greatest extent possible. This means that organizations must do three basic                   supplied devices.

•   Increase the level of control they exercise over personally owned devices and
    modes of communication when used for organizational purposes. This control
    must be focused on protecting the organization from regulatory, legal and other
    problems that can arise when personally owned tools are used outside of the
    direct control of IT.

•   Archive all relevant communications and other content on personally owned
    devices in the same way that content is archived on employer-supplied devices.

•   Monitor communications and content to ensure that corporate policies are
    followed, regardless of the platform that an employee uses to do their work.
    Moreover, there needs to be consistency between the policies applied to
    employees’ desktop experience and those on their mobile devices – in other
    words, corporate policy management should not be different based solely on the
    device that an employee chooses to use.

©2012 Osterman Research, Inc.                                                                 4
                                                                                               Practical Steps Toward
                                                                                               Ensuring Compliance in a BYOD

Many decision makers, when faced with the growing number and severity problems
associated with BYOD, may decide that the practice should be stopped through
corporate edict. For example, implementing draconian controls that will all but
eliminate – or at least attempt to eliminate – the use of personally owned devices and
employee-managed applications for work-related purposes may be viewed as one
solution to the BYOD problem. While some decision makers may adopt this approach
to protect corporate data assets or reduce the potential for malware infiltration, there
are three reasons to opt for more open, rather than more restrictive, BYOD-related

•   Draconian controls will probably not be successful
    When face with a corporate edict to eliminate use of personal devices or
    applications, many employees will do so under the radar, particularly the growing
    proportion of employees who work from home at least one day per week. For
    organizations that opt to lean toward eliminating consumer-grade options, an
    easy-to-use, secure and IT-sanctioned alternative must be provided.

    Employee productivity will suffer
    It is also important to understand that the vast majority of employees do not use
                                                                                               There are a
    their own devices or applications simply for the fun of it – they are doing so to          number of
    be more productive, to bypass IT restrictions (e.g., email file-size limits) that
    prevent them from being effective in their work, or because they have found a
                                                                                               obligations that
    way to be more efficient at no charge to their employer. To issue an edict that            firms in the
    prevents employees from using these tools will likely be counterproductive to the
    interests of both management and employees.
                                                                                               financial services
                                                                                               and other heavily
    Improved competitive advantage
    As a corollary to the point above, the use of personally owned mobile devices
    can significantly improve an organization’s competitive edge by making                     industries must
    employees more responsive and more available to customers, co-workers,                     satisfy with
    business partners and others. This can provide a significant advantage in some
    cases compared to the status quo of waiting to come into the office the next               regard to
    morning to respond to customer inquiries, etc.                                             monitoring and
UNDERSTAND THE REQUIREMENTS                                                                    retention and
There are a number of obligations that firms in the financial services and other               protection of
heavily regulated industries must satisfy with regard to text message monitoring and
retention and protection of content, including:
•   SEC Rule 17a-3: requires production of records

•   SEC Rule 17a-4: requires retention of records

•   FINRA Rules 3010, 3113: requires supervision and retention of records

•   Investment Adviser’s Act Rule 204(2) requires maintenance of records

•   FINRA Regulatory Notice 11-39: provides guidance for use of personally owned
    devices that contain corporate information.

•   FINRA Regulatory Notice 10-06: provides guidance for use of Web 2.0

•   FINRA Regulatory Notice 10-59: requires encryption of content on portable
    media devices

•   FINRA Regulatory Notice 07-59: provides guidance for review and supervision of
    electronic communications

©2012 Osterman Research, Inc.                                                              5
                                                                                                  Practical Steps Toward
                                                                                                  Ensuring Compliance in a BYOD
•      The Health Insurance Portability and Accountability Act (HIPAA) requires
       Protected Health Information (PHI) to be sent securely to prevent its access by
       unauthorized parties.

•      Sarbanes-Oxley, which applies to most publicly owned corporations, imposes a
       variety of requirements for retention of content, such as communications
       between senior executives, auditors and others involved in managing financial
       and other corporate records.

•      FERC Order 717: requires retention of various types of communication, including
       instant messaging, for five years.

•      FERC Part 125: imposes retention periods for records maintained by public
       utilities and others.

In addition to these, there are a variety of other requirements that focus on the
monitoring, retention and/or production of data, including the Gramm-Leach-Bliley
Act, various data breach laws in 46 of the 50 US states, and the Federal Rules of Civil           It is critically
Procedure. Moreover, individual states have their own procedures for managing civil
litigation, many of which have been updated to reflect the growing quantity of                    important that
electronic information that organizations manage.                                                 organizations
                                                                                                  faced with the
It is critically important that organizations faced with the BYOD problem implement               BYOD problem
policies that are focused on acceptable use of devices and applications, perhaps
creating a list of approved devices, operating systems, applications and other
personally owned or managed solutions. These policies should be detailed and                      policies that are
thorough, and should be included as part of an organization’s overall acceptable use
policies that are focused on use of corporate computing resources.
                                                                                                  focused on
                                                                                                  acceptable use of
A key element of these policies as they apply to mobile devices should be that:                   devices and
•      All communication on the mobile device such as SMS/text messaging should be                applications,
       monitored and archived as per guidance issued by FINRA in Regulatory Notice                perhaps creating
                                                                                                  a list of approved
•      All devices in use can be remotely wiped by the IT department in the event of              devices, oper-
       their loss.
                                                                                                  ating systems,
•      All devices that contain corporate content should be encrypted to prevent the              applications and
       loss of sensitive data or intellectual property.
                                                                                                  other personally
•      Corporate policies focused on employee-managed applications should include                 owned or
       requirements for the encryption of data if stored in a third party’s cloud data
       center.                                                                                    managed
Although enabling BYOD and implementing appropriate policies are important, it is
essential that organizations also deploy the appropriate technologies that will enable
IT departments to monitor the use of mobile devices when used for work-related
purposes and to archive the content stored on them. Any technology employed for
text message monitoring, archiving or otherwise managing the use of mobile devices
should satisfy a number of criteria:

•      It should enable the use of personally owned mobile devices with as little
       interruption to the normal operation of these devices as possible. Solutions must
       be designed for the platforms that users employ most often, namely Android,
       BlackBerry and iPhone devices.


©2012 Osterman Research, Inc.                                                                 6
                                                                                               Practical Steps Toward
                                                                                               Ensuring Compliance in a BYOD
•   It should enable IT departments to archive and monitor all relevant content for
    purposes of regulatory compliance, legal obligations and other purposes. This
    should include email, text messages, instant messages and other content. It is
    important to the note that the iPhone is somewhat more difficult to monitor
    because of Apple’s primary focus on the consumer.

•   It should enable the search and retrieval of content on mobile devices easily.

•   Organizations should consider using a mobile device management system in
    order to manage applications and wipe or lock devices that are lost or stolen.

•   It should enable the information on the mobile devices to be encrypted.

•   It should not impose a significant cost for IT and should impose only a minimal
    requirement on IT’s management requirements.

SUMMARY                                                                                        enabling BYOD
The BYOD phenomenon is here to stay: employees are increasingly opting to use the
latest and greatest smartphones and tablets and they are willing to pay for these
                                                                                               and imple-
devices themselves.       While this can provide some immediate benefit to IT                  menting
departments that do not have to pay for these devices, there are serious
consequences that can result, including violation of regulatory and legal obligations to
monitor communications, archive corporate content, encrypt content, and otherwise              policies are
manage how corporate data is sent, received and stored. To mitigate these risks,
every organization should implement the appropriate policies and technologies that
                                                                                               important, it is
can satisfy their regulatory and legal obligations, and at the same time enable the use        essential that
of personally owned devices for work-related purposes.
                                                                                               also deploy the
ABOUT MOBILEGUARD                                                                              appropriate
MobileGuard is the leading provider of mobile communication monitoring and                     technologies that
archiving solutions which ensures compliance with the rules and mobile regulations of
all relevant regulatory bodies. MobileGuard’s Mobile Compliance solutions provide
                                                                                               will enable IT
SMS monitoring, capturing, logging, archiving, management, supervision and alerting            departments to
of all communication on company mobile devices. The MobileGuard solutions are:
                                                                                               monitor the use
MessageGuard™ - Provides a complete solution for the capture, monitoring, and                  of mobile devices
archiving of SMS, MMS, IM, BlackBerry Messenger and BlackBerry PIN-to-PIN
messages sent from mobile devices. All text messages are identified, collected, and
                                                                                               when used for
archived in a format that is easily accessible, allowing companies to establish                work-related
meaningful internal compliance policies regarding mobile devices and to meet
compliance mandates from all relevant regulatory agencies. MessageGuard presently
                                                                                               purposes and to
supports Android, Blackberry and Windows Mobile operating systems and is available             archive the
as a hosted or on-premises solution.                                                           content stored on
VoiceGuard™ - Enables companies to record and archive call conversations and voice             them.
mails from mobile devices, providing a compliance and risk management solution for
your mobile workforce. The recording of mobile voice calls is a mandatory FSA
regulation and compliance is a logical next step in the regulatory process. Utilizing
the VoiceGuard solution as a core business practice demonstrates good governance,
particularly in areas where client transactions are conducted by phone. With
VoiceGuard, all calls can be quickly retrieved and replayed to protect your business
operations from potential false claims, interpretations, or misrepresentation.

SafeChat™ - Provides enterprises with a secure chat application for employees’
iPhones and other mobile devices so company instant messaging may be monitored
and archived. The SafeChat solution lowers the risk of compromised data, as well as

©2012 Osterman Research, Inc.                                                              7
                                                                                            Practical Steps Toward
                                                                                            Ensuring Compliance in a BYOD
helps company’s meet regulatory requirements. SafeChat securely captures images,
spreadsheets, PDFs and other files so sensitive information remains proprietary.

DeviceGuard™ - Presents companies with the ability to manage employees’ mobile
devices through a secure administrative console. Setting corporate policy, preventing
security breaches, policy controls, user provisioning and remote wipe/lock are some
of the functionalities for securing the mobile workforce.          The DeviceGuard
management solution gives employers control over devices so loss of data and/or
malicious applications cannot infiltrate your enterprise network. DeviceGuard will be
released 2Q2013.

All of the captured text, chat and voice information is available for review on
MobileGuard’s Administrative console, which has robust monitoring, archiving and
search capabilities. Enterprises can set automatic flagging of messages for
compliance and supervisory review based upon message content, recipients, and/or
senders. Our advanced search capabilities allow for quick and efficient retrieval of
messages. With the administration console, managers of enterprise IT departments
have an immediate web-based interface for the end users of mobile devices, which
provides a single point of reporting for each mobile device. This console can provide
real-time SMS/MMS messages, call logs, policy alerts, device/employee information
and device location for each device. In addition, MobileGuard supports ad reporting
delivered on demand for audit and e-discovery. All of MobileGuard’s solutions are
easily integrated with a company’s email archiving service so that all collected
information is available in one central location.

For more information, contact MobileGuard at:

1375 Broadway, Suite 600
New York, NY 10018
Phone: 646-536-5559

©2012 Osterman Research, Inc.                                                           8
                                                                                                           Practical Steps Toward
                                                                                                           Ensuring Compliance in a BYOD
© 2012 Osterman Research, Inc. All rights reserved.

No part of this document may be reproduced in any form by any means, nor may it be
distributed without the permission of Osterman Research, Inc., nor may it be resold or
distributed by any entity other than Osterman Research, Inc., without prior written authorization
of Osterman Research, Inc.

Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes
legal advice, nor shall this document or any software product or other offering referenced herein
serve as a substitute for the reader’s compliance with any laws (including but not limited to any
act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,
“Laws”)) referenced in this document. If necessary, the reader should consult with competent
legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no
representation or warranty regarding the completeness or accuracy of the information contained
in this document.


      Electronic Retention: What Does Your Mobile Phone Reveal About You?

©2012 Osterman Research, Inc.                                                                          9

Description: The Bring Your Own Device (BYOD) trend started several years ago for business managers who had personal devices that they wanted supported by IT. However, today BYOD has become a widespread and critical issue for IT departments because of the number and diversity of devices they must support and the risks created by BYOD. This document covers the steps to ensure compliance and reduce the risk.