Reach into your pocket, and the odds are good you'll find a smartphone pulling in work-related e-mails, along with attached documents such as next quarter's budget, a spreadsheet of customer contacts, or plans for the next generation of products.
THE PANELISTS
The following executives participated in the April 16, 2013, roundtable on BYOD and enterprise data security.
Doug Barnard,
Senior VP, General Counsel, Secretary,
CF Industries Holdings Inc.
Raj Chaudhary,
Principal & National Practice Leader, Security & Privacy Practice,
Crowe Horwath
Randy Corley,
EVP, Global Compliance Officer,
Edelman
David Foster,
Senior Director, Regional Compliance & Investigations,
Kraft Foods
Stephen Gierach,
Head of IT Audit, Compliance & Security,
RSA Medical
Gwen Hassan,
Manager of Corporate Compliance,
Navistar
Ed Hughes,
Corp. Vice President, Chief Audit Executive,
Motorola Solutions
Kristopher Keys,
VP & Deputy General Counsel, Compliance & Ethics,
Exelon Corp.
Tom Kleyle,
Vice President of Internal Audit,
CNO Financial Group
Andrew Schweik,
Director, Risk Consulting Practice,
Crowe Horwath
John Steiner,
Chief Compliance Officer,
Cancer Treatment Centers of America
Nickie Warren,
Manager of Internal Audit,
Regal Beloit
For More Information on Compliance Week Roundtables
A tablet may be propped alongside your monitor, loaded with useful apps. In your bag, a thin Ultrabook—so much easier to lug through your commute than the company-issued laptop. Soon, Google Glass and iWatches will be new tools to help you work efficiently on the road.
Chances are you bought these devices with your own money, but you use them to access the company's networks and fill them with company data.
There is an undeniable appeal when it comes to the growing Bring Your Own Device phenomenon. And, for employers, BYOD can boost productivity, reduce IT training needs, cut costs, and allow employees to remain connected to their jobs, regardless of the day or time. These benefits, however, come with plenty of risks.
To discuss the benefits and risks of BYOD and the data security challenges that come along with it, Compliance Week and Crowe Horwath recently hosted a dozen compliance, risk, and audit professionals in Chicago for an executive roundtable on the subject.
Dialing Up the Risks
The vulnerability of company data, as it bounces from a secure IT infrastructure to distributed personal devices, is a worrisome side effect of BYOD.
“Due to the proliferation of devices, we are at a critical juncture,” said Andrew Schweik, director of Crowe Horwath's risk consulting practice. “The failure to establish appropriate security policies, procedures and enforcement, could result in significant operational, compliance and reputational risks to the majority of companies.”
To start to get a handle on the risks, says Raj Chaudhary, principal and national practice leader for Crowe Horwath's security and privacy practice, you have to conduct a thorough risk assessment. “You want to take a risk-based approach. Start at the network layer and then move into the application layer,” says Chaudhary. “You're not going to be able to fix all of the problems, but you want to make sure you fix the ones that leave you most vulnerable.”
Roundtable participants agreed that data security and privacy in a BYOD world require a different mindset. “Security used to be placing all your data in one place and putting as many walls around it as you can so no one can get in,” said Thomas Kleyle, vice president of internal audit for CNO Financial Group. “BYOD creates more entry points. We are trying to protect data, but we are continually creating more ways to get to that data for business purposes, which is why the hackers have more ways to exploit it.”
Beyond hackers, there are also bad employee decisions to contend with, such as inappropriate uses and lost devices. “You can talk about people doing things nefariously, but simple human error and lapses in judgement creates most of the risks,” Kleyle said.
A question to ask, however: Can you get to the same level, or at least an adequate level, of security and control with BYOD? “As you move away from that controlled environment, you are moving down the scale of security,” Kleyle said.
There's an App for That
A pressing concern for many roundtable participants was how the apps employees use, with or without their company's knowledge, handle data and the security risks they introduce. “All this stuff is going on in the background and we don't have the foggiest idea,” says Stephen Gierach, head of IT audit, compliance, and security for RSA Medical. “We don't even know how vulnerable we are because we don't know anything about those apps. They are collecting data and sharing it with other organizations and selling it. We are much more vulnerable than we think.”
Doug Barnard, senior vice president, general counsel, and secretary of CF Industries Holdings, cited e-Discovery issues as an important concern, especially when a company subsidizes employees buying devices of their own choice.
"When the time comes to gather all the relevant data for e-discovery purposes, a company that allows employees to conduct business on their own devices, or in the cloud, will experience practical difficulties due to the company's non-centralized, non-standardized approach to data storage," he said. "If the company subsidizes employees to purchase devices of their own choosing, judicial expectations may be that much greater in deciding how far the company must go in overcoming those practical difficulties in order to gather all of the relevant data."
As a security measure many companies use software that can remotely wipe data from a mobile device that is lost or stolen, or for routine maintenance. Even this solution can be problematic from a litigation perspective. Chaudhary relayed the story of an employee-owned iPad, also used for work purposes, on which a family member captured what was a “once in a lifetime event.” The iPad while on vacation and its contents were wiped clean by IT during routine maintenance. “Now, you have an issue with discoverability, and how does the employer protect against a claim by the family member,” he said.
Concerns are greater in highly regulated industries like finance and healthcare, especially given a mandate to minimize breaches through the Health Insurance Portability and Accountability (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) acts. The latter lowers the “harm threshold” used to determine when a healthcare provider is required to report data breaches and requires “business associates” and sub-contractors to abide by some of the same requirements as the covered entities they work with, including encryption standards for patient data that may pass into their hands. The proposed rule would make them liable for unintended disclosures.
“Both covered entities and business associates have to demonstrate a good faith compliance effort, especially if a HIPAA complaint investigation occurs,” Steiner said. “Do you have a credible defense for your HIPAA program? It is important that the workforce understands how the Office for Civil Rights is conducting current audits."
"That approach is known as ‘test of design' of the HIPAA compliance program,” he explained. “If you tell your company and members of the workforce what the elements of test and design look like, then they have a roadmap they can follow, and that gets them somewhere down the road for being in compliance."
Tackling the Problem
Different companies take different approaches to BYOD. Some require password protection or impose their own security settings if an employee wants to tap into their infrastructure. Others limit the types of devices that can be used, and the operating systems that run them.
Some go as far as to ban the practice completely, although the effectiveness of the prohibition can be questioned. “Our policy says you may not download data to a personal device, but how do you enforce that?” asked one participant. “We don't currently run an audit program that pulls peoples' devices and checks for data, but we've been talking about it.”
A common theme of the roundtable was that policies on BYOD can be particularly difficult to enforce, especially since it's harder to see what employees are doing on their own devices, compared to company-issued hardware. The foundation for an effective BYOD is setting proper policies and controls, Chaudhary says. When doing this, “just deploying the tools is not good enough; training employees regarding these policies is extremely critical.”
Motorola Chief Audit Executive Ed Hughes (left) talked about the importance of a multidisciplinary approach that brings IT and compliance together. At right is Doug Barnard, CF Industries Holdings general counsel.
Nickie Warren, manager of internal audit for Regal Beloit, and Kristopher Keys, Exelon's deputy general counsel, share a laugh during the forum.
Understanding the technology being used was seen as a first step toward controlling it. “If you don't know anything about the technology, it becomes very hard to know where you have gaps,” said Gwen Hassan, manager of corporate compliance, office of the general counsel, for Navistar. “Do you have enforcement or policy gaps? Do you have an audit gap? Maybe you have all of the above? If compliance people don't know what they don't know, they are going to be in trouble.”
Ed Hughes, corporate vice president and chief audit executive for Motorola Solutions, cited the importance of a multi-disciplinary approach, especially bringing IT and compliance together, when assessing and mitigating risks. “I'm never going to be an IT expert, but I know there are gaps out there and a whole bunch of things I don't know,” he said. “So, I am going to bring in experts who can review the process and policies, review our systems, and tell me what those gaps are. Then, it is my job to fill those gaps.”
Kristopher Keys, vice president and deputy general counsel, compliance and ethics, for Exelon Corp. agreed. “I hate to use the cliché, but collaboration is king,” he said. “You really need to have different disciplines at the table at the same time, because the discussion is typically ‘can we” from a technology perspective and ‘should we' from a legal perspective. Sure, we can track an individual's browser history on a mobile device, but should we?”
Chaudhary stressed the importance of diligent risk assessment in building common definitions between IT, enterprise, and the C-suite. This can help secure the resources needed to ensure success. “Even on a smaller scale you need to do that so that you can get the definitions in line with the corporate folks,” he said, “that gets you the money and the attention.”
Tech Solutions
Even though the line between work and personal life may be blurred, there is no reason for data to be similarly commingled. Chaudhary said there are third-party solutions that offer both encryption and “containerization,” creating a partition that separates business and personal data, preserving the integrity of both and wiping only the business data in case of a lost stolen mobile device.
Beyond the added cost, however, a problem with these services and tools is that companies often do not deploy them correctly. “It is counter-productive to buy the tool and not actually configure it properly,” he says.
His advice is to make the process more manageable by starting with iOS, using pilot groups to craft standards. The next, weightier challenge is addressing Android devices because that operating system comes in a multitude of “flavors.” The solution may be to limit the number of versions that can be used.
From left to right, Andrew Schweik, director of Crowe Horwath's Risk Consulting Practice; Edelman Global Compliance Officer Randy Corley; and David Foster, Kraft Foods' senior director of regional compliance & investigations.
For many, moving files from a workstation to personal devices and back again leads them to utilize a cloud-based sharing service. Depending on the type of data transmitted between different devices this can create IT and security headaches.
“These cloud-based sharing services make it very easy to sign up and create your own personal storage space,” Chaudhary says. “For convenience, employees set this up for personal use initially and move on to using it for business use without checking with or informing their company's IT.” To identify rogue sites being used by employees for data storage, IT can perform a “logging and content filter review” to analyze cloud service connections and block these sites to mitigate loss of data, he suggests.
The Right to Remain Private
A growing concern posed by BYOD is how to balance privacy issues, and laws protecting employee privacy, with the corporate imperative to protect their data. One participant fretted that changes are imminent because the United States is a “laggard” on such issues when compared to the European Union and also must now keep pace with laws in Canada, Mexico, and even China.
State laws, notably in California and Massachusetts, are also setting new standards for balancing the protection of data with preserving privacy rights, Chaudhary said.
One participant, recalling a comment made by a Congressional staffer during Patriot Act debates, applied it to technology concerns: “You can't have privacy unless you have security.” The two, he said, need to go hand-in-hand.
No comments yet