IT GRC Forum

Many employees have come to expect that they should be able to use personal smartphones and other mobile devices at the office. This creates problems for IT managers. A company’s IT staff may have a solid grasp on company-issued laptops, desktops, and even mobile phones, but it is almost impossible to control the results when employees begin connecting various types of personal devices to the company’s network. When you get that brand new Droid, load it up with apps, and then plug it into your work PC in order to update or sync necessary files, your company’s IT guy has to worry about whether that last app you downloaded might infect the entire network.

A study by ESET/Harris Interactive found that fewer than 10% of people who use personal tablets for work have enabled auto-locking with password protection. Only one in four secure the personal smartphones they use for work, and only one in three adequately protect their laptops. With well over 50% of employee’s personal devices left unsecured, lost phones, laptops, and tablets constitute a significant data breach risk.

Corporations that do allow employees to use personal devices at work have responded to this problem by implementing a BYOD (“bring your own device”) policy to help IT staff manage these devices and ensure network security.

So, what’s the difference between personal and employer-issued mobiles in the workplace? The short answer to this question is: there is no difference.

A smartphone provided by your employer requires a “company mobile liability policy.” This means they not only provide and pay for your mobile device, they also dictate what you can and can’t do on the device. In many situations, the employer may have remote capabilities to monitor activity and, in the event of loss or employee termination, wipe the data.

“Employee mobile liability policies” are for employees who prefer to BYOD. While these employees may pay for their own devices and their monthly data plans, but the same restrictions can (and should) be imposed on employees who use personal devices at work. If you choose to use your personal device for work purposes, at any time, for any reason, your employer will more than likely want control over that device. This means that, again, your employer may have remote capabilities to monitor activity wipe your device’s data if it is lost or you resign or are fired.

In both situations, the employer will be liable for leaked data. So if you choose to BYOD, be prepared to give up some liberties.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto.