There is no shortage of horror stories when it comes to valuable corporate data and intellectual property being lost or stolen because of an unprotected and unmanaged smartphone or tablet.
There is the story of a CEO who had all his corporate email forwarded to his unsecure Gmail account -- only to have it hacked. Then there is the mobile workforce that thought using a third-party Web-based storage service would be a great place to stash proprietary sales data -- only to have it swiped. And then there are the handset-related lawsuits that center around legal exposure when it comes to lack of compliance to regulatory requirements such as the Health Insurance Portability and Accountability Act.
"If a [business] doesn't have a updated mobile policy that stipulates responsibilities of the users, such as the company's file, share and sync rules, employees are extremely predictable and will make bad choices," said Ira Grossman, CTO of end-user and mobile computing at national solution provider MCPc, Cleveland. "Left to their own BYOD devices, employees are going to use unsanctioned services, apps and gadgets."
What keeps a chief security officer up at night? Increasingly, mobile threats that expose a company to risks and potential liabilities, Grossman said.
According to research firm Gartner, only 33 percent of companies currently have BYOD policies in place for smartphones and 47 percent have BYOD policies regarding tablets. Grossman said BYOD poses significant challenges to IT departments, legal teams and compliance officers. Here are five top concerns.
1. Lost or stolen unsecured and unencrypted smartphones full of sensitive corporate data still represent a top concern for companies when it comes to legal exposure organizations might be creating by moving to BYOD. A good password protects most handsets, say mobile experts.
2. If the company is using a mobile device management solution then it's possible to remotely wipe a device. But, as Theodora Titonis, vice president of mobile at security firm Veracode, points out, even the strictest MDM solutions can be foiled by irresponsible end users. She said bad passwords, installing rogue apps and using services that track a person's whereabouts can leave even the most buttoned-down enterprise exposed.
3. As communications move from email to third-party messaging services such as Skype and wireless carriers' SMS networks, it is important that a BYOD policy clearly spells out that employees will have to surrender their devices if required for an eDiscovery proceeding.
4. Another nail-biter for chief security officers is creating rules on what type of corporate data can be accessed from outside the firewall on a mobile device. Investor documents, proprietary information and other sensitive health-care records can fall into the wrong hands if the smartphone or tablet is lost or stolen. Having set content-sharing rules and controls can secure access to sensitive documents and restrict the ability of an employee to transmit documents via a mobile device without proper authorization.
5. The proliferation of mobile devices accessing company applications and data at all levels of the enterprise creates huge IT headaches, Grossman said. When an enterprise doesn't formally support or supply mobile devices to employees, there is an unexpected pressure put on IT staffs to solve smartphone and tablet problems. "These are IT headaches at the device level, but also at the back end such as data and email retrieval. Defining the boundaries of IT support is often overlooked," he said.
"There is a common fallacy that BYOD can save an enterprise money because employees shoulder the cost of a mobile device," Grossman said. "That's simply not the case. It's far more expensive for a company not to have BYOD policies in place and a trusted MDM solution to help manage smartphones and tablets."
This article originally appeared as an exclusive on the CRN Tech News App for iOS and Windows 8.