If you have worked in the corporate world for the last five years you are likely familiar with the Bring Your Own Device (“BYOD”) concept. BYOD is the practice of allowing employees to use their personal computers, smart phones, and other devices to access company data and perform their jobs.
You may be less familiar with a related new trend called Bring Your Own App (“BYOA”). BYOA is to software as BYOD is to hardware, but it poses significantly more complications and difficulties than BYOD does. Where BYOD allows your employees to use their own devices to access the data within your organization’s infrastructure, BYOA allows your employees to put company data just about anywhere.
For example, employees may use cloud storage like Dropbox and cloud applications like Google Apps to work and share among themselves. The advantage to allowing these practices is that employees are using the tools with which they are the most comfortable. The danger is that information may leave the control of your organization. As a result, you are more exposed than ever before to data loss, malicious hackers, and not knowing where your data is. To address the potential impact of BYOA on your organization, you must ensure that your policies align with your organization’s needs.
DO YOU HAVE A POLICY?
Assuming you have a BYOD policy in place, you should review it to ensure that it covers apps that your employees use as well as the devices upon which they rely. Does it balance your employees’ best practices with the security concerns of your company? Employees understand what works best for them but they may not be in the best position to understand potential privacy or security threats.
WHERE IS YOUR DATA?
Do you know what applications your employees are using? Twenty years ago there was a concern that employees were building Microsoft Access databases and creating shadow IT projects. Now, the possibilities of what employees can create and deploy are endless.
If you already have a map of all of the data in your organization, does it include the web and smartphone services that each employee uses? It should. If you have autodeletion of aged email or documents, will it catch those in the cloud? There is no exception to the Federal Rules for "I didn't realize that my employees were sharing documents on Google Drive." The best way to avoid being blind sided is by speaking candidly to your employees about this issue and asking them what, specifically, they are using in addition to their sanctioned apps.
SURVEY YOUR EMPLOYEES
You hired your employees to perform a vital function in your organization. If they aren’t getting the support that they need internally, an important step to both productivity and security is in finding that out.
You may consider conducting a survey of your employees to determine what they use to get their jobs accomplished. You might be surprised not just at what your employees are using, but also at what they find helpful. A survey is an excellent opportunity for conversations with employees about security and privacy, as well as for you to learn what is really happening in the trenches. A well-tailored survey may give you surprising insights into areas you need to improve.
Surveying the usage practices of your employees will allow you to discover unknown needs or internal inefficiencies. If employees solve these issues on their own, they may unintentionally be causing risk to your company. This is an opportunity to solve the problems internally and educate users about the available internal solutions as well as the privacy and security vulnerabilities of using outside applications. Once you have taken your first step and discovered what your employees are using, you can develop policies to work with them to retain their productivity gains while limiting your exposure. This can be accomplished in several ways.
SET CLEAR POLICIES
Balancing privacy and security needs against productivity gains is crucial. Employees use the tools that they are familiar and comfortable with in order to do their jobs more effectively and efficiently. Once you are aware what your employees are using, you can develop relevant policies. In some instances, you may consider partnering with the providers of the applications that they are using for enterprise version of the software. For example, if your employees use a cloud drive to share documents, there are enterprise offerings that can provide the same functionality in a more secure way. Software that is already in service at your organization may have additional functionality that is not implemented or have plugins or expansions that give your employees the functionality that they need. Working with your survey results and your IT department can identify these potentially inexpensive fixes.
TEST THE POLICIES
It is important to distinguish the best practices that won’t be followed from the good enough practices that will. Develop a rigorous testing plan that includes monitoring and employee feedback on how the policies are affecting their work and productivity.
TRAIN YOUR EMPLOYEES ON THE POLICIES
Explain, in plain language, what the policies of your organization are. During the education phase, explain the reasons for the policies and use clear examples. Explain why some things must remain secret to retain a trade secret or a legal privilege.
Use this as an opportunity to encourage candor from your workforce. If they believe that something is needed to solve a problem, this is a good time to address that.
Whatever your policy, you need to address these issues in a holistic way. In addition to determining your level of risk and how locked down you want your network, you should develop an educational program for your employees that will let them know your expectations and why you have them. The technology options for increasing productivity are always growing. These must be balanced against the needs of your business and the need to track where data is throughout its lifecycle.
REPEAT THIS PROCESS PERIODICALLY
By repeating the survey, policy adjustment, and education process on a regular basis, you can learn more about what your employees are doing and set up an informational feedback loop that will serve to benefit your organization.