Smartphone security in the workplace a tough issue with BYOD
The "Bring Your Own Devices" trend has a dual-personality problem on its hands.
How can corporate data and personal data exist on a single smartphone? Companies don't want their deep secrets to get out, while employees don't want to be told how to use their precious mobile gadgets that they bought with their own money.
It's a problem that has stumped the BYOD crowd.
"Companies don't trust that information is contained properly" on a BYOD smartphone, says Nanci Churchill, vice president of operations at Mobi Wireless Management, a software and services provider helping companies navigate mobile adoption.
Help, though, may be on the way.
Splitting the Phone Virtually
New solutions are bubbling up from mobile software vendors. For starters, there's the idea of a smartphone with a virtual software partition, which essentially splits the phone to create dual personalities for business and personal purposes.
The business side can be remotely wiped if the phone is lost or stolen or the employee leaves the company. BlackBerry Balance does this on BlackBerrys. VMware and Verizon teamed up to create a virtual workspace on certain Android smartphones.
Mobile device management vendors such as AirWatch are also finding ways to separate personal and business data. Rather than remotely and fully wiping a compromised BYOD smartphone, MDMs can choose to selectively wipe only business apps.
In some cases, you can wipe business data.
Apple's native apps such as Calendar and Contacts let you tag data as personal or business. With native email, the iPhone can have separate accounts for personal email and work email. This allows MDMs to wipe only the business data (or email account) within the app itself. It should be noted that most third-party apps on the App Store don't separate data, which means MDMs must wipe the entire business app.
The Thin Line Between Business and Personal Data
You'd think with so many options, the problem of duality would be solved-but it's not.
Many of Mobi's customers, as well as a large AirWatch customer, continue to fully wipe compromised BYOD smartphones, even though Mobi and AirWatch generally advise companies to embrace selective wiping.
Truth is, business data can skirt the virtual partition to the personal side of the phone or a personal cloud storage account, such as Dropbox or iCloud.
One company, for instance, said it would only access business content on a BYOD smartphone. It defined business content as email and business-related documents. Photos were excluded under the assumption that they were personal in nature.
"They came to find out that there were a lot of photographs of white boards. People had taken pictures of white boards that contained all kinds of business information," Matt Karlyn, a lawyer and partner in the technology transactions practice group at Boston law firm Cooley LLP, told me. "You can't make assumptions about what's business and what's personal."
It works in reverse, too.
Personal information can find its way into a business productivity app. For instance, another company bought popular mobile note-taking app for its BYOD community. When the phone is compromised, the company reserves the right to remotely wipe it.
But employees had become so comfortable with the app that they began using it for personal stuff, too. They stored pictures, voice notes, recipes in the same app, because you can't have two versions of the app on the iPhone. When an employee leaves the company, they lose the app.
Bye-bye, personal data.
Beyond Splitting the Phone: Dual Persona Workarounds
It's this loss of personal data that has Mobi recommending customers perform select wipes over full wipes, even though select wipes may not include all corporate data. BYOD employees tend to get a bit sue-happy when their personal data is wiped, their privacy is violated or their location is being tracked via the mobile device. (For more on this, check out BYOD Lawsuits Loom as Work Gets Personal.)
"We are continuing to advise companies to go select wipe just because there's less risk in terms of personal information," Mobi's Churchill says.
Slideshow: 15 Best iPhone Apps for Newbies (2012)
There are some workarounds to the dual-persona problem.
Companies can selectively wipe BYOD smartphones for some types of employees and fully wipe smartphones for others, such as a regional vice president who has access to all sorts of business data and might take pictures of whiteboards.
There are also ways to stop a BYOD smartphone camera from taking pictures of a company's intellectual property. The BYOD user policy can require employees to enable location-based services, which, in turn, can integrate into geo-fencing. If an employee is in a certain area of, say, the manufacturing plant or company campus, then the camera can be turned off.
Also, a camera can be disabled if the phone tries to get on the WiFi corporate network.
There are an equal number of ways employees can capture business data on the personal side of their BYOD smartphone. In the above scenario, an employee can put his phone in Airplane mode and be free to take pictures. From copy and paste to screen shots to emailing documents to personal accounts to tagging business contacts as personal ones, employees can and will violate BYOD user policies.
"But that's now an HR issue," says CEO John Marshall at AirWatch. "IT is only responsible for so much. If somebody is trying to do something malicious, you can't stop that."
Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at email@example.com
Read more about byod in CIO's BYOD Drilldown.