When a computer in Davis Merrey’s church came down with a virus, staff were astonished because the computer is located in the church’s audiovisual booth and has no Internet connection. But Merrey, owner and chief executive of TeamLogic IT of Oklahoma City, instantly suspected what he eventually confirmed: Someone plugged a flash drive into the computer’s USB port to upload, what were infected, files.
With the explosion of a trend that’s called BYOD — or Bring Your Own Device, the scenario is all too common across workplaces today, Merrey said. Workers want to use one phone, laptop and/or tablet, say, for their personal and professional lives, while businesses want to give employees the ability to work any time, anywhere.
Merrey said the trend started with large companies, whose leaders liked the idea of saving on IT costs. But he and other experts say the short-term capital savings from BYOD easily is outweighed by the potential expense and public relations problems if devices are hacked, lost or stolen, and sensitive data is compromised.
Placing a ban
Tinker Air Force Base, Hitachi Computer Products Inc. in Norman and Southwest Medical Center in Lawton fully or partially ban BYOD for security and/or privacy reasons.
“We aren’t permitted to plug any electronic device into our computers, be it smart phones, MP3 players, thumb drives or whatever,” one Tinker mechanic said. “The military sees cyber warfare as a very real and serious threat,” he said, pointing to the Stuxnet virus, which was released, presumably via a thumb drive, onto the Internet in June 2010 specifically to damage Iranian centrifuges used for separating nuclear material.
Cindy Young, Hitachi human resources director, said the company, which employs 373, issues company phones and laptops to those at a certain grade level. Meanwhile, Southwest allows employees to use personal laptops and tablets, but they can’t be connected to the system.
“We have to be very careful due to HIPAA (Health Insurance Portability and Accountability Act) requirements for information security,” said William Morrow, recruiting and retention coordinator. “For work-related emails, we have a number of people that utilize smart phones to stay connected, but we don’t allow texting of patient information,” he said.
Crowe & Dunlevy attorney Daniel Johnson said healthcare and financial organizations face the greatest risk of liability when it comes to BYOD.
“But all companies,” he said, “need to learn how to balance the employee convenience with how to protect the inadvertent disclosure of sensitive information.”
Johnson recommends employers require employees upon hiring to sign a mobile device policy, including the agreement to give employers reasonable access. “Not only is there the risk of lost or stolen devices, but a disgruntled employee may leave the company with a device containing company information, and you need to be able to claw it back,” Johnson said.
His advice to employees concerned with their personal privacy of any photos, blogs or other information on their own devices: “Use employee-issued stuff for business.”
Meanwhile, Merrey also strongly recommends company policies, including the stipulation of which devices, applications and systems firms will support. “Support only one smart phone, for example, so you limit the amount of work your IT department — or IT person in the case of small companies — has to do,” he said.
“Eliminate thumb drive access to computers that hold sensitive data,” Merrey said, “and make sure all devices are protected with firewalls, encryption and passwords.”
Sixty-five percent of businesses worldwide allow employees to use their own mobile devices to access email and other organizational data. Forty-five percent report taking additional security measures, including installing the latest security fixes and patches, conducting security audits and training employees. Only 13 percent have specific policies regarding the use of personal mobile devices.