Firing a worker for not reporting a lost or stolen tablet or smartphone may seem extreme, but at some companies things have come to that. How can CIOs get workers to take BYOD policies seriously?
By Tom Kaneshige
CIOs fret about corporate data security on “Bring Your Own Devices,” or BYOD, but do employees care? A good number of them — 15 percent — believe they have no to minimal responsibility to protect data stored on their personal devices, according to a recent survey from Centrify, an identity management software provider.
“It is clear organizations need to continue to educate employees on the dangers and risks of mobile security but also look to solutions that safeguard the devices and applications which these employees have access to,” says Michael Osterman, principal analyst with Osterman Research..
Centrify surveyed more than 500 employees at mid-to-large companies and found a startling disconnect between perceived BYOD risk and reality.
Nearly half of those surveyed have more than six third-party apps on their BYOD products, and more than 15 percent have had their personal account or password compromised, says Centrify.
Forty-three percent have accessed sensitive corporate data while on an unsecured public network. And, of course, many employees don’t report lost or stolen BYODs right away, thus leaving corporate data exposed.
[Related: CIOs Battle Worker Apathy Towards Lost or Stolen Mobile Phones]
What’s a CIO to Do?
But the real question this survey brings up is, what should companies do about it?
Employee education about BYOD risks is usually the quick and easy answer, but employees learning about security has never been a very effective approach. Most employees flip to the end of the security policy and sign off without giving it much thought. Truth is, security practices just aren’t top of mind for employees, especially on a daily basis.
[Related: 12 Big BYOD Predictions for 2014]
Some companies are getting tough, attaching BYOD security compliance to employee performance reviews, compensation and, in rare cases, termination. Maybe these measures, the thinking goes, will get employees’ attention.
“I was at a CIO roundtable last year where a bunch of CIOs talked about the challenges of moving to BYOD and how they’re establishing policies, and a few said that their policies state very clearly, if you lose your device and don’t report it within 24 hours, you lose your job,” Bill Versen, director of mobility solutions at Verizon Enterprise Solutions, told CIO.com last month. “A financial services company said they lost three people because of that policy.”
Getting fired for non-compliance of a security policy sounds a little extreme. These measures risk alienating other employees who’ve watched a co-worker get shown the door and are now fearful of losing their own jobs. A firing-offense policy also may lead to the greatest corporate security threat of all: the disgruntled employee.
[Related: How BYOD Puts Everyone at Legal Risk]
A bad mark on a performance review, along with loss of privilege, may be a more appropriate compromise.
“A performance review may trigger that a person should no longer have access to specific data and/or apps, and termination should result in having all corporate data removed from the personal device,” says Centrify CEO Tom Kemp, which, of course, requires technology that provides this level of control.