When the phrase bring your own device entered the corporate lexicon, the business world rushed to implement safeguards for employee-owned mobile gadgets and devise policies for their use. But according to PricewaterhouseCoopers’s 2013 Global State of Information Security survey, the rush has slowed. The number of businesses with BYOD policies in place, the survey says, remains “stubbornly low.” And that’s not good for CFOs charged with assessing risks that can affect a business’s intellectual property, competitive health, and profitability.
According to the report, less than half of the 9,300 C-suite executives surveyed have a security strategy to address personal devices in the workplace, despite the fact that 88% of employees use a mobile device for both personal and work purposes. The survey shows “a lag in policy perspective across the board,” says David Burg, principal with PwC’s U.S. Forensic Services practice. He says too few companies, for example, have policies to cover mobile-device forensic investigations. Those policies establish the company’s right to examine employee devices in cases of suspected trade-secret leaks and intellectual-property theft. “Our message is that you cannot fight the [BYOD] trend; you can only adapt policies, procedures, and practices to accommodate the risk,” Burg says.
PwC has seen a slight increase in its clients’ use of software to access the company’s mobile network and infrastructure, as well as use of solutions that allow companies to wipe, identify, and remove information from an employee’s personal device remotely. Fetching data from a mobile device is fraught with difficulties, Burg says, because new devices and operating systems are introduced every 6 to 12 months. That requires vendors to update their security solutions at the same pace, even as businesses need to rework their policies. “It’s important to recognize that mobile devices are on par with laptop computers these days,” he says. “They have increasing storage capacity” — meaning employees can walk around with more of your secret stuff — “and you must consider that from a security perspective.”
When PwC conducts forensic investigations for law firms, government institutions, and commercial clients, it now looks at personal devices belonging to employees, along with the company’s servers and PCs. It reviews telephone conversations, texts, and e-mails, as well as browsing behavior and geolocation information. CFOs, Burg believes, need to be hypersensitive to the risks introduced by BYOD.
“There are many ways in which the health and wealth of a firm can be affected by these investigations,” he says. “On the low level is the direct cost to conduct the investigation.” Harder to quantify, but far more expensive, are the costs associated with security breaches: for remediation, addressing reputational damage, and the not-inconsiderable expense of notifying customers and partners.
Going forward, the report suggests, enterprises must have a business process designed to accommodate the reality of BYOD. “They need to manage it the same as we see corporate clients manage any other kind of information technology asset, be it a $10,000 server or a PC,” says Burg. “Policies will first need to be put in place that include specific language about acceptable use for mobile devices, as well as advance notice to all employees that the device may [one day] need to be examined by investigators.”
The U.S. government, for example, warns its employees that it reserves the right to access their personal mobile devices to “respond to legitimate discovery requests arising out of administrative, civil, or criminal proceedings.”
If it’s good enough for Uncle Sam . . . .