BYOD and GDPR: Managing the compliance conundrum

Today’s employees want the freedom to work from any location and any device at any time of day. These individuals are increasingly using their personal ‘smart’ mobile devices to conduct business. In recent years, the bring your own device (BYOD) phenomenon has taken the corporate world by storm. Thanks to the growing consumerisation of IT, workers are now using their own devices to undertake work tasks, yielding efficiency, mobility, and flexibility.

From a business perspective, enabling BYOD is an advantageous strategy. According to a recent study, over half (53 percent) of employees of companies with a BYOD policy feel they’re more productive when they have their own devices. Additionallly, a Frost & Sullivan study quantified the time savings, revealing that using personal devices for work activities saves employees 58 minutes each day, providing a 34% increase in productivity.

However, BYOD can also represent a significant risk for organisations. For the IT department, there is massive pressure to find a way to securely enable BYOD. Failure to do so can lead to malware outbreaks, noncompliance with regulatory requirements, and corporate exposure in the wake of personal device theft.

 Securing personal devices

Security teams need to protect corporate data on employees’ personal devices in order to comply with GDPR and other industry-specific regulatory frameworks. In an attempt to accomplish this, many organisations have turned to using mobile device management (MDM) or mobile application management (MAM).

Agent-based tools like MDM and MAM grant organisations extensive visibility and control over the endpoints upon which they are installed – virtually all device activity can be monitored or influenced in some capacity. This makes it possible to remotely wipe data from a device, enforce data protection policies, block the use of certain applications, and much more. Consequently, IT teams will use these tools to protect their companies from various risks and threats; however, this technology does raise other concerns when installed on BYO devices.

Exposing employees’ personal data

In a recent study, Bitglass tested the extent to which unscrupulous IT personnel can use agents to gain full visibility over an employee’s personal device. Unfortunately, by routing traffic through the same proxies used to manage devices and conduct security audits, Bitglass discovered that IT teams using agent-based tools can capture user browsing activity, transmit login details in plain text, and monitor outbound and inbound communications. It is also possible to force the GPS to remain active in order to track the location and out-of-work habits of an employee. Additionally, employers can perform full wipe to remove all data from a device, including personal data such as contacts, photos, and videos.

Employees are generally unaware that their personal lives can be tracked without their knowledge. This downside to MDM and MAM should represent a serious concern for employees that want to feel secure when performing their job duties from their personal devices.

 Finding a better way – striking an appropriate balance

We live in an era where employee privacy is taking more and more of the spotlight. In yet another Bitglass study, we found that more than half of employees are hesitant to have MDM agents installed on their personal devices – primarily due to concerns about invasiveness and privacy.

So, how do IT managers address the BYOD security challenge without compromising

employee privacy? It’s a dilemma that can be resolved by reappraising the enterprise’s real mobile security requirements. Rather than locking down every aspect of personal mobile devices, IT teams should instead focus on protecting corporate data itself – wherever it is used and however it is accessed. Fortunately, there are a growing number of MDM alternatives that allow IT teams to protect sensitive data without requiring that they install invasive agents on employee devices.

Deployed in the cloud, these agentless solutions can deliver data protection, identity management, comprehensive visibility, and even advanced threat protection on any application and any device. Context-aware security policies can be enforced automatically in real time, bringing IT teams peace of mind. It’s an approach that delivers the best of both worlds. With agentless solutions, organizations and their employees can reap the benefits of BYOD, secure their data, respect user privacy, and achieve GDPR compliance.

 

By Anurag Kahol, CTO, Bitglass


European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.