A key challenge for any organization is balancing the protection of institutional data, respecting privacy and enabling trust, when employees access institutional systems with personally owned devices. Any BYOD strategy should address this balance. Personally owned devices usually are not under the control of the institution, and verifying that the devices are securely configured can feel intrusive. Allowing personal devices that are not checked for secure configuration and vulnerabilities to log into protected systems creates potentially serious and unknown risks. Institutional attempts to influence or cause configuration changes on personally owned assets and scanning them for vulnerabilities raises questions about trust and liability.
Institutions that provide employees properly configured mobile devices help reduce the need of employees to access institutional systems with personally owned devices, but this approach does not work in all situations. While the potential cost of a security breach can easily exceed the cost of providing mobile devices to employees, the cost of providing the mobile devices also can exceed available funding. Institutionally issued mobile devices may not address all legitimate needs.
Educating employees, who access institutional systems with personally owned devices about the need to configure them securely, check them for vulnerabilities often, not use those devices for high risk activities, and inform their supervisor about their apparent need to use the personal device for work helps to reduce risk and initiate a healthy conversation about viable alternatives. Providing employees access to virtual desktops that can be better protected, and are in turn used to access institutional systems provides a reasonable balance of improved security and usability. However even in these cases using a secure personal device to log into the virtual desktop is important. After all, a compromised device that is allowed to log into a secure virtual desktop is an open door to attack.
Clear policies and services to guide and help employees be safe are important. Offering self-service vulnerability scans, for example, enables employees to check their personally owned machines while not undermining trust and privacy. It is the purpose of this blog to stimulate a discussion about this topic and sharing between contributors information about solutions that accomplish the three goals of respecting employee privacy, safeguarding data and enabling trust.
Petr Brym currently serves as the Chief Security Officer in UC Berkeley Student Affairs Information Technologies. Previously Petr served as the Director of IT Security at the University of New Hampshire.