The consumerization of IT is when employees use their own personal mobile devices, such as laptop computers, tablets, smart phones, etc. at work, referred to as BYOD (bring your own device). This use is becoming increasingly common and exposes companies to a variety of risks, including the protection of personal information.
Canadian businesses appear to be leading the world in IT consumerization. In fact, according to a recent study, more than 75% of them allow employees to use their own smart phones or tablets for work. However, almost 60% of Canadian organizations have lost corporate data through mobile devices.
In such a context, data security is essential and there are major challenges in ensuring the protection of personal and sensitive information throughout the data lifecycle (collection, use, storage or warehousing, transmission, and destruction when the information is no longer useful). In fact, organizations are obliged to protect the personal information that they gather and transmit, no matter where the data resides (laptop computer, smart phone, removable media, the cloud, etc.).
With the arrival of BYOD, protecting organizational data has become more difficult because of weak controls over personal devices in which sensitive data may be found. For example, the operating system of a personal device may be vulnerable to malware and its contents could be hacked, unauthorized people (spouse, child, friend) may have access to sensitive information on a mobile device, or the mobile device could be lost or stolen.
In order to supervise the use of personal devices at work and to adequately protect an organization’s confidential information, a BYOD policy is essential. A joint study carried out by TELUS and Ontario’s Information and Privacy Commissioner, Anne Cavoukian, details the problems and issues related to BYOD. Their study recommends a five-step proactive action plan to help organizations develop a responsible and effective program regarding BYOD.
Patrick Paradis, Information Security Consultant