Although a number of CISOs hate the phrase BYOD, the fact is many organizations have been forced to allow staff to log onto corporate networks with personal devices, hopefully agreeing to follow certain practices or use personal devices that segregate personal and corporate data.
So like it or not infosec pros are obliged to craft an official bring-your-own-device policy, even if it’s only that a small group of executives have to use corporate-owned devices.
But that doesn’t mean everyone follows the rules. An article this week noted a vendor found 57 percent of employees and 38 per cent of IT professionals who responded to a survey ignore their company’s BYOD program, fearing execs would have too much visibility into the end user’s personal data. And those are the outliers who thumb their noses at BYOD policies for an alleged noble reason.
What’s the problem? It may be, the piece suggests, that staff haven’t bought into the program because they weren’t fully consulted. “Effective policies need to be created as a group in order to gain a sense of ownership,” a cybersecurity consultant is quoted as saying. “Make sure HR, finance, marketing, communications, executives, are all represented and come up with a realistic (not draconian) policy that mitigates risks while still enabling the business.”
Still, the piece adds, some experts also think certain organizations with a low tolerance for risk may have to put their foot down and insist no personal devices can access corporate assets. At the very least CISOs may have to create a so-called CYOD policy — ‘choose your own device’, where staff can buy their own smartphones and tablets, but from a limited list of secure devices.
Mobility has brought a world of benefits to organizations, but also a world of headaches. CISOs have to work with staff, while employees have to understand the price of risky behaviour.