Mobile devices are one of the biggest risks IT professionals have to deal with. Laptops, iPads, smartphones and other mobile devices are a challenge on a good day, but trying to deal with various types of devices you don't own makes things much harder.
The possibility of unknown or unfamiliar operating systems, unknown patching status, and other unknown vulnerabilities quite frankly scares me more than a zombie apocalypse. Add to that, not knowing what antivirus, encryption and password requirements are on these devices keeps me up at night.
The lack of device standards and ownership is the real problem. I realize organizations can make users sign agreements that give us permission to manage, or partially manage, a user's personal device. But let's face it, users do not have the same security mind-set as IT security professionals.
Imagine a scenario where a user loses a personal BYOD device and doesn't report it because they don't want you to wipe it in case it turns up. It's not that this user is unconcerned about information security, it's just that they took pictures of their new baby and haven't had a chance to upload them to their PC. All you can hope is the device is at their home and not on the bus they just got off.
Unfortunately, this type of thing is common. Working in the healthcare industry, I am aware of stories of employees leaving sensitive data on public transportation or data being stolen from vehicles. Sometimes, these stories end in federal fines. In my opinion, business use of personal devices would give employees in this situation more incentive to not report or delay reporting the lost or stolen device.
There are a slew of other problems with allowing users to decide what device they will use, and some are bad for users while others raise issues for organizations to deal with. For example, issues such as privacy concerns and work and life balance are topics that should concern all of us.
Consider the scenario where your employer is managing or partially managing your personal smartphone via a mobile device management (MDM) application. Many of these applications allow for GPS logging of managed devices. So, imagine your surprise when your boss asks why you spend so much time at the local bar.
Many employers are, in fact, taking an increased interest in the personal behavior of their employees. I know of many healthcare employers who are now refusing to hire smokers because they add an increased cost in terms of sick days, health insurance, and lost productivity. Are employees really ready to be tethered to employers like this?
Don't get me wrong, I believe BYOD will eventually be the norm for most of us, however, there are limits and issues to consider before we move too far, too fast. Even when IT pros understand the equipment in the environment and the vulnerabilities they possess, we have a difficult job. To move forward with the BYOD revolution safely, organizations must set standards that dictate what kinds of devices can be used and how they will be managed.
There must also be clear and consistent user accountability when using these devices. In addition, we should all go into this knowing the pros and cons of how this strategy will affect us beyond the direct IT security concerns. With all that in place, we may have a fighting chance of making this work. Without it, we will surely be seeing even more breach stories on the nightly news.
Houston Healthcare is proud to serve the medical needs of residents in Warner Robins, Centerville, Perry and Houston County, Georgia, as the county’s largest healthcare provider for 50 years.