Legal and technical BYOD pitfalls highlighted at RSA security conference

Companies that don't protect themselves through policies place themselves at risk

Allowing employees to bring their own devices to work is causing new challenges, including what happens when a device needs to be wiped or employees want to sell their smartphone or tablet.

Mobile security and BYOD (bring your own device) are main themes at the European edition of RSA's security conference, which takes place this week in London.

Letting employees use their own smartphones or tablets for work represents a loss of control for IT departments. Also, if personal data isn't handled correctly, the company may end up being sued, said Cesare Garlati, vice president of mobile security at Trend Micro and the moderator of a conference session called "The Dark Side of BYOD."

"If companies don't protect themselves through policies they are really exposed," said Garlati.

For example, using Microsoft's ActiveSync technology to remotely wipe a device becomes more complicated because when data is deleted from the device everything is removed, including the user's personal photos, videos, songs and so on, according to Garlati.

"The question is who is responsible for that," said Garlati.

So, initiating a remote wipe when a user has entered the wrong password too many times, when an employee has been let go, or simply by mistake could have serious repercussions.

There are both technical and legal ways for an organization to address this.

More advanced mobile device management products allow enterprises to create containers that separate personal and enterprise information and can delete just the latter, according to Garlati.

However, for that to work, information has to be tagged correctly or stored in the right place and some enterprises feel they can't trust that is the case, according to Leif-Olof Wallin, research vice president at Gartner.

"For example, on an iPad there is a good chance that the employee has stored notes from a sensitive meeting outside the container. So to be on the safe side, they wipe the whole device," said Wallin in a separate interview.

The solution is to put in place an acceptable-use policy that clearly states employees can connect to the enterprise network, but if something goes wrong, the IT department can initiate a remote wipe that also deletes personal information, according to Garlati. The rules of the policy then have to be reiterated on a regular basis, he said.

Part of that is also telling users to back up personal data if they don't want to lose it, Wallin said.

People and their devices can also be affected if their employer gets involved in litigation.

"The other party can go to the judge and say that to preserve and discover evidence, I require all the devices involved in the litigation to be seized and sent to a forensics expert for analysis," said Garlati.

The user loses their device and will again want some form of compensation, according to Garlati.

The technical solution here is to use desktop virtualization, which means all of the corporate information is stored on servers. Doing the same with at least tablets would be good, but the technology isn't there yet, Garlati said.

When handing over information relevant to a legal case is enough, the IT department needs to have a process in place for gathering the data from PCs, smartphones and tablets, according to Wallin. Allowing the IT department to do that also needs to be part of the policy workers agree to, he said.

Enterprises also have to plan for what happens when a user wants to upgrade to a new device and get rid of the old one. Doing that is mandatory for any BYOD program, according to Wallin.

One way to ensure corporate data doesn't end up in the wrong hands is for enterprises to outright buy old devices. Another alternative is to discount the cost of a new smartphone, according to Garlati.

"My company actually gives me a discount on the AT&T price of a device if I buy through them, but there is a catch because I have to return the old device," said Garlati.

Purchasing phones from employees isn't a very feasible option, since enterprises are adopting BYOD to get away from buying hardware, according to Wallin. His alternative is to rely on the mobile device management solution or getting users to wipe their phone.

"Users have to be told that if they are let go, retire, leave or buy a new device, all corporate information has to be deleted, including potential physical or cloud-based back-ups ... Some organizations want to verify the information has been deleted, while others check a sample or trust the employee," said Wallin.

Send news tips and comments to

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Mikael Ricknäs

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?