BLURRED LINES

By Phil Beckett, partner at Proven Legal Technologies – the corporate forensic investigation and e-disclosure firm 

As the consumerisation of IT grows, Bring Your Own Device (BYOD) is a term that will only become more and more common, referring to employees who utilisetheir own technology devices on workplace systems. Consumers are hardly ever more than a metre away from their smartphones and want to be connected 24/7. Companies have even spotted spikes in work activity during Christmas, Easter and other public holidays, showing that employees are taking the opportunity to look at work emails, even when they are away from the office or on leave.

Be it on an iPhone, BlackBerry, tablet, laptop, PC or smartphone, workers can connect themselves to a secure corporate network and use their own device at work, at home, or anywhere where they have a data connection.IT research firm, Gartner, predicts that by 2017, 38 per cent of companies will stop providing devices to workers, arguing that BYOD provides huge benefits, such as creating new mobile workforce opportunities, increasing employee satisfaction and reducing or avoiding costs.BYOD therefore cannot be labelled as a passing trend and it is, without a doubt, here to stay.

As the line between business and personal becomes blurrier and more companies deploy BYOD, how can businesses protect themselves against loss of intellectual property, deliberate or otherwise?

DIVVY UP

Divide’s software allows firms to manage the personal smartphones of their employees, securely creating an area on a phone to sync and store data for the workplace. It is a mobile app that is said to securely separate a consumer’s personal data and the corporate data contained on a phone or tablet, making it easier for businesses to manage disparate personal devices.

Yes, the Divideapp does seem like a step in the right direction for sharpening the blurred lines of BYOD, but this self-service approach does create a problem for companies that cannot uphold upmost security on those devices. Divide allowsits users to switcheasily between personal and secured work applications and also lets employers wipe data remotely in the event that a device is lost. Despite this, corporations still risk losing their company-sensitive data and intellectual property in the event of an employee mislaying their personal phone.

IP SECURITY IMPLICATIONS

BYOD could potentially lead to loss of control, impact network availability, and cause data loss, if companies do not manage it properly.If abused, it can also cause employees to violate regulations, rules, employer-employee trust, intellectual property rights and other critical business obligations. Companies should therefore implement appropriate network access strategies and security policies in order to secure themselves so that the worst does not happen.

In regulated industries, such as banking and financial services, where data breaches can attract large fines, managing security on employee devices is of particular importance. One of the most memorable fines was in 2009 when HSBC was fined over £3million by the Financial Services Authority (FSA), the Financial Conduct Authority’s (FCA) predecessor, when customer data was lost in the post.  At the time of the investigation, the FSA said it discovered thatlarge bulks of unencrypted or otherwise unprotected customer data were sent via post or courier to third parties. Internal members of staff were also found to be insufficiently briefed on the resultant risks of identity theft.  There was also other data that were left exposed to loss or theft on open shelves or in unlocked filing cabinets.A BYOD simply expands the range of devices that could hold sensitive data, either intentionally or otherwise.  It could therefore be the source of a data breach.

THE CHALLENGES OF SOCIAL MEDIA

Social communication has become a part of the fabric of our everyday lives and as a result, has become a big challenge for companies, as the environment is increasingly dynamic and any number of connections can be navigated.  Communication applications used on personal and company devices, for example Facebook and WhatsApp, are extremely difficult to monitor as they are operated on smartphones as opposed to PCs.  BYOD brings workers’ use of social media and other forms of personal communication closer to the business epicentre, therefore risking unintended or malicious infection between the two.  Firms must therefore act fast and ask themselves if they wish to allow these applications to be used on company devices at all.

The increasing use of social media in the workplace can have serious security implications for companies, which is why more and more organisations are choosing to block social networking sites. More and more tools are being brought onto the market to facilitate access blocking and network traffic monitoring. However, for every preventive measure applied, there will always be a way around it, especially if BYOD policies are employed, as these applications will be virtually impossible to control. Companies must therefore instil regular training processes to ensure best practice and raise awareness of the issues.

AN INVESTIGATION

If a breach of intellectual property is encountered and it reaches the stage of investigation, an experienced investigator will be looking to determine patterns in an individual’s behaviour.  They will not only focus on trying to find the ‘smoking gun’, but also ondetecting supportive intelligence that helps bring the overall picture into sight.  This can include finding outwhich employee is connected towhom, recent movements that relateto other sources of evidence, and so on.  Investigations of all available social sources can help build a picture around the scene of the crime.

Firstly, the investigator needs to understand where any relevant data is, and then how to capture it in a forensically sound manner.  This is harder than it sounds, especially given the vast quantity of mobile devices, cloud computing platforms, social media accountsetc.This can make it legally confusing, especially when considering personal devices used under BYOD policies. The company must then ask itself if it is company allowed to investigate these without consent, for example.

Evidence will come from a variety of sources. For instance, these could be corporate network log files to identify the use of web-based email, as well as other outbound activity, such as uploads to Google Drive and Drop Box.  Internet history databases and cached pages of internet sites retained on a work computer can also be investigated alongside deleted data and backups of personal devices on corporate machines.

In addition, the investigators at hand should also seek to look at public social media profiles, such as LinkedIn and Facebook, as many profiles tend to be open for all to see. Traces of artefacts left behind on a computer system by certain applications, such as Skype, can provide indications of malpractice. Mobile devices can often contain more relevant evidence than computers.

A PREVENTATIVE APPROACH

The success of any investigation will depend on an investigator’s legitimate ability to access a personal device of the individual in question, and indeed their social media profile. During an investigation, firms can therefore benefit by looking at all the data and analysis, allowing all results to feed into the others, in order to achieve a higher and more detailed level of analysis.

Firms should always take a preventative approach, as it always works best.  Challenges facing corporate IT and security departments are well documented and largely emphasise the need for well thought-out policies and contracts that cover employee access to web applications.  An individual’s right to privacy, versus employer rights to audit privately owned devices, must also be reconciled.BYOD procedures, for example, should provide a list of devices approved by the firm and determine which corporate applications can be accessed in the event of an investigation.  Security policies should incorporate mandated anti-virus software, firewalls and encryption in the event that the device is lost or stolen.  IT departments should therefore have the means and the authority to wipe corporate data from personal devices.

BACK TO THE FUTURE

Today we have the ability to create, disseminate and store information on an immeasurable scale.  We can do this with ease and as mobile telephony technologies continue to advance at light speed, we are entering a world where any data can be accessed from anywhere, at any time, using any type of device.  It cannot be ignored: BYOD is on the rise.The best defence possible for companies is if they are able to avoid BYOD altogether.  This is not always possible with the younger workforce of today, which has been brought up on smartphones, social media and so forth.

Employees will continue to want to access both personal and work content on their business devices.  Companies should therefore consider the importance of being able to attract and retain a younger workforce by installing systems to caterfor its needs.Ultimately, firms must get the right systemsin place and take a fully preventative approach in their BYOD strategies. This must become to be a key priority so that any problems can be snuffed before they come to light.