Bring your own device, but who owns your data?

By  Domingo Guerra.
Call it consumerization or call it BYOD, but whether we like it or not,  employee-owned devices have made their way into the workplace.

In fact, Gartner  predicts that 90 percent of companies will support corporate apps on personal  mobile devices by 2014.

But with this new technology wave comes a string of questions up for debate:  Who’s responsible for security? Who really owns the data on the devices? And as  mobile device management (MDM) becomes commonplace in the enterprise, should IT  be allowed to remotely wipe data if an employee’s phone is lost or stolen?

Perhaps the real question should be, why wouldn’t we want the data wiped?

Today’s mobile devices are extremely personal and intimate, knowing us better  than we know ourselves. Each device holds the keys to our most important  personal information. They have our exact location at any given moment, our  private contacts, personal and work addresses, schedules, financial information,  personal/private photos, family information, all stored on these easy-to-lose  devices.

Yet a disconnect remains: When we lose our wallets or purses, we immediately  cancel our credit cards and change our locks at home. Why would we treat a lost  device — with so many private details and insights into our lives — any  differently?

Some argue that holding out hope for the phone to be returned makes a full  wipe of the device seem too harsh and too permanent of an action.

Of course, the burden is on the consumer for regular backup, particularly  when most personal devices contain as much critical data as computers.  Regardless, research by Symantec (PDF) shows that there is, at best, a  50 percent chance of recovering a lost device (and likely drops closer to zero  percent for a stolen device).

Furthermore, there’s an 80 percent chance that an attempt will be made to  breach corporate data and/or networks regardless of whether or not whoever found  the device intends to return it.

But even if users and IT agree that remote wiping is the safest action to  take in this case, do organizations even have the right to remotely wipe data on  employee-owned devices?

The short answer is that it depends. From a legal standpoint, it is usually  determined by where the organization and employees are located. In Germany, for  example, it is illegal for companies to wipe personal data from an  employee-owned device. These companies only have the limited right to delete  enterprise data from personal owned devices, so many opt for mobile management  solutions that allow them to do that.

In the U.S., laws on this are more lax (or even non-existent). Most  U.S.-based companies have employees sign Employee Agreements or Acceptable Use  Policies over what IT can or cannot do with their computing devices. In  most cases, we’ve already given IT permission to do pretty much anything with  our devices if we — even minimally — use them for work.

The truth is, there is a lot of shared risk between employees and employers,  so arguing over who should delete the lost device’s data is the wrong argument.  With most security matters, a pre-emptive approach is best. In this case, close  collaboration and understanding of what actions to take in the worst-case  scenario.

Here are some suggestions:

Open the lines of communication: Employees need to know the risks  they face on a personal level, as well as the risks the organization faces.

Create a plan: Don’t wait until a device is lost or stolen before  figuring out the right course of action.

Have the right tools and technologies in place. There is a plethora  of both personal and commercial options for automatic backup, remote wipe,  security, and management of devices. With the amount of sensitive data we carry  on our devices every day, there really is no excuse to be caught off guard.

Speaking of tools and technologies, it’s an exciting time to be in the mobile  workplace. Employees’ and IT departments’ tech savoir faire is evolving at an  unprecedented rate as groundbreaking technologies, devices, and apps make their  way into the workplace.

Whether it is traditional MDM, Mobile App Management (MAM), Mobile Risk  Management (MRM), virtualization, containerization, app wrapping, consumer or  enterprise solutions, or a combination of these, there are a lot of innovative  solutions out there. Now is the right time to figure out the best approach for  your company’s mobile management and security strategy.

In the new enterprise mobile world, who owns security, data, and the  responsibility of keeping our privacy, security, and sensitive information safe?  In this case, I’d argue we are all on the same team.

Just as the new mobile world is about connectivity and hyper productivity, it  is also a world of partnerships and trust. After all, when you use your device  for personal and work purposes, it’s not your data or my data. It’s our data  that is at risk.

Domingo Guerra is the president and co-founder of Appthority, a company focused on mobile security in the  enterprise.