By Allie Philpin
Talk about BYOD policies and the focus is on how an organisation can manage data; how to manage employee access to corporate data using smartphones, tablets, and other mobile devices securely; and this is the right way forward. As more and more employees use personal devices to carry out their work, a policy that defines how they can access corporate data, the process for sharing data safely and keeping data secure is vital. But there’s one aspect of BYOD that is often forgotten about… What happens to corporate data held on personal devices when that employee leaves the company?
By not dealing with this part of BYOD, an organisation raises the risk of their data being shared with an unauthorised person; the now ex-employee still being able to access the corporate intranet or cloud where data is stored; data being passed onto competitors. If the technology, and the policy, is not in place to wipe the personal device and recapture the corporate data as soon as an employee leaves, your data will leave with them and it is this area that could potentially create the biggest risk.
It is often the last thing an ex-employee will think about – their mind is on their new job! They are unlikely to turn off remote access privileges, delete passwords or even remove corporate data held on their device. As a responsible organisation, developing an exit strategy that’s going to keep the network and data protected is just as important as the BYOD user policy itself.
Of course, there are several ways to do this and the ‘knee-jerk’ reaction would be to ban all personal devices but in today’s modern business world with the need for flexible, mobile workforces, that is no longer a viable option. Some organisations restrict the use of personal devices to specific job roles only, i.e. sales personnel and board level. Some will only allow employees to log on to the network from a personal device as a ‘guest’ – they’re given basic access to non-sensitive corporate data and emails, but are not allowed to download or print any information.
Alternatively, it may be a better option to invest in the technology that’s available to monitor, manage and ‘remote wipe’ when necessary. But the BYOD company policy must clearly state that all personal devices will be monitored for compliance purposes, and that should the employee leave the company the ‘remote wipe’ procedure will be automatically initiated. It is worth pointing out that the procedure needs to be clearly laid out to the employee – remember, it is a personal device and not the property of the company. Another solution may be to use ‘containers’; corporate data is held within a container on the personal device and when that employee is no longer with the company, the container is removed along with all the corporate data, access authentications, passwords, etc.
The moral of the story? Make sure your BYOD company policy accounts for what happens to your data when an employee leaves.