Education is Needed to Assure End User Buy-in to BYOD policies

Paula Musich
Paula Musich

The younger generation of smartphone and tablet users brings a false sense of security to all things cloud and mobility, trusting way too much in the security and intentions of apps providers, cloud purveyors, the Internet and even friends.  This brings even greater unease to security professionals charged with protecting corporate data as BYOD becomes pervasive in all sizes of enterprises.  A raft of articles in IT-focused publications exhort IT to put in place the proper policies and security controls to mitigate this new risk (as if they needed more risks to worry about) with regard to the use of employee-owned devices in the enterprise. 

But beyond putting in place such policies and more effective controls through mobile device management and mobile applications management, IT should also consider developing an educational campaign to improve those users’ understanding of the risks that they introduce with mobile access to data, the use of public cloud storage services such as Drop Box, and collaboration in the cloud.  Using a personal mobile device for improved business productivity is great, but it brings greater responsibility to the end user to insure that they take part in protecting corporate assets.  And the best way to get those users to embrace that responsibility is to educate them about the risks that they introduce when using those mobile devices to sync with corporate email, share sensitive documents, and access corporate apps.  With such an understanding, policy enforcement becomes less of an issue, because workers will be less prone to look for ways around those policies to get work done if they understand the potential dangers of such actions.  At the same time, users should be required to sign a terms of use agreement to be allowed to participate in the corporate BYOD program.  Users’ own responsibilities should be clearly spelled out in these agreements.  In Mastercard’s BYOD agreement, for example, employees must allow their employer to remotely wipe any corporate data from lost or stolen devices or upon the employee’s termination from the company. In addition, the costs and expenses associated with the use of the device are borne by the employee, and employees must take reasonable precautions to protect corporate data on their devices.  “Reasonable precautions” should be spelled out in more detailed terms. What do you think?  Does your organization have a BYOD program in place that includes end user education about the risks introduced with mobility?

What do you think?

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.