I looked up at the 40-50 people who were attending my presentation at the 2014 Clio Cloud Conference, Law Firms in a BYOD (Bring Your Own Device) World, and asked how many used a passcode lock on their phones. Every hand went up. “Well, this will be easier than I imagined,” I thought. It was my first presentation at a conference like this, and it’s easier preaching to the choir, so to speak.
“How many use your phone for work,” was my next question. Again, every hand in the room went up. Then the bombshell hit.
“How many do so pursuant to a written Bring Your Own Device policy?”
Two hands. In a room of 40-50 tech savvy lawyers.
Before I made my presentation, I decided that it would take far too much time for me to walk through a BYOD policy step-by-step, particularly considering my belief that making sure attendees understood the dangers was important (it was about half of my 45 minute presentation). Ok, I admit it, I spent half my presentation attempting to scare the audience into action, although it was entirely based on real information. Based on the Q&A at the end, it worked.
While I addressed the individual components of a thorough BYOD policy, I decided that a different approach would be more effective: what are the real elements that make the difference between a successful and unsuccessful BYOD policy. (For more information about BYOD, and for some template BYOD policies, check out my presentation sources page.)
What sets a successful BYOD Policy apart?
I found four things that differentiated a successful BYOD policy from the rest. A successful BYOD policy, in addition to the basic policy provisions, addressed the following:
- Universal Buy-In (and universal application);
- Involving everyone, or at least making sure everyone was represented;
- Vigilance and updates; and
- Clearly addressing the issue of privacy.
While it is my opinion that a truly effective BYOD policy is created with all of those issues in mind, one of them is absolutely required for any BYOD policy to avoid absolute failure – Universal buy-in. Why? Because in a BYOD world, all it takes is one weak link. What is the key in making sure that you get universal buy-in? AWARENESS!
Employees must be aware of the risks…
Here’s the thing – unless you’re willing to spend a ton of money on Mobile Device Management software that is intrusive and overbearing, you’re going to have to accept that your employees are in compliance with much of the policy on faith. You’re going to have to trust that they’re not downloading confidential files to apps not designated for company information. You’re going to have to trust that they’re not downloading apps that might contain malware.
What’s the problem with operating on faith? Well, it lacks certainty. Hence why it’s called “faith.”
Nearly every survey performed on the subject indicates that employees actually have a higher level of satisfaction using their own personal device for work, even though it means they’re paying for it. BYOD tends to limit this extra satisfaction, though, by requiring certain things from the employee, such as addition of security apps or allowing the device to be tracked by the employer.
… AND how the BYOD Policy addresses those risks.
Without a full and complete understanding of the need for this added security, now the employee feels less like they’re free to use their own device, which they were able to select and feel comfortable with. Instead, it feels like the company is turning their phone into the company’s phone, without bearing the burden of paying for it. That, in a word, sucks. It’s that very resentment that will lead employees to avoiding or outright violating a BYOD policy, which as you might expect, renders it absolutely useless.
Unless they’re aware of the danger! The threat of being hacked today is not remote – stories about hacking are reported daily, it seems. The threat is real. What most people don’t fully understand, however, is that by allowing unsecured mobile devices access to secured servers and computer systems, they might as well not have any security to begin with. Mobile devices are a HUGE security risk, and all the steps you’re taking to implement your BYOD policy are reasonable – provided you’re not using them to be a dickish boss or a pervert (caveats that probably apply to damn near any workplace policy).
Abuse of power sucks. Don’t do it.
In the end…
Having a complete BYOD policy in place is necessary for your business or firm’s cyber security, but it is not sufficient. For that policy to be effective, your employees who are subject to the policy must be aware of the risks and dangers involved and, just as importantly, must be aware of how the policies in place are designed to reduce or mitigate that risk. Without awareness of the risks created by BYOD, all your detailed policies will do is serve as nice-looking exhibits in the lawsuit your former clients filed against you for negligence after a hacker gets their personal data from your company.
.@NCCyberAdvocate teaching lawyers about security in a #BYOD world. #cliocloud9 pic.twitter.com/KPgb1TP9iS
— Joshua Lenon (@JoshuaLenon) September 23, 2014
Pingback: Phishing: When One Email Shuts Down Your Law Firm()