WHITE PAPER

Practical Steps Toward Ensuring Compliance in a BYOD World

An Osterman Research White Paper

ON

Published November 2012 SPONSORED BY

sponsored by

SPON

sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058 USA Tel: +1 253 630 5839 Fax: +1 253 458 0934 info@ostermanresearch.com www.ostermanresearch.com twitter.com/mosterman

Practical Steps Toward Ensuring Compliance in a BYOD World

EXECUTIVE SUMMARY
One of the most important trends to impact organizations of all sizes but particularly mid-sized and large organizations is for employees to use their own smartphones and tablets to access corporate applications. The Bring Your Own Device (BYOD) trend was started several years ago, normally on a case-by-case basis for senior executives who had personal devices that they wanted supported by IT. Today, BYOD has become widespread and is now a critical issue for IT departments in organizations of all sizes not only because of the number and diversity of devices they must support, but also because of the risks that BYOD creates: The difficulty of satisfying the growing number of regulatory and legal obligations imposed on organizations regardless of the industry. Managing the mix of corporate and personal data contained on personally owned devices. Addressing the greater risk imposed by BYOD, such as compliance violations and data breaches when devices are lost, policy violations when outbound content is not filtered, and the greater likelihood of malware entering the corporate network.

As a result, organizations must mitigate the risk associated with the growing trend toward BYOD by implementing appropriate policies and deploying technologies that will address the specific problems created by BYOD.

ABOUT THIS WHITE PAPER

This white paper was sponsored by MobileGuard information about the company is provided at the end of this document.

BYOD CREATES MANAGEMENT CHALLENGES

The accelerating trend toward BYOD is exactly what its name implies: the growing trend for employees to use personally owned smartphones, tablets, laptops and other platforms to access corporate applications like email, databases, various applications, public cloud-based applications and other tools; and to create, store and manage corporate data using these devices. For example, Osterman Research has found that business email and Web browsing are the most commonly used business tasks for which mobile devices are used (employed by 99% and 93% of users, respectively), but use of personal social media, corporate social media, SMS/text messaging, instant messaging chat and storage of business-related documents are also commonly used. In particular, real time messaging, such as instant messaging, is widely used by financial and energy traders. Osterman Research has found that BYOD is pervasive across organizations of all sizes, but particularly in smaller organizations, as shown in the following table. Penetration of Personally Owned Devices Mid-Size Orgs (100999 employees) 32% 18%

We found that personally owned smartphones are used in 40% of small organizations, in 32% of mid-sized organizations, and in 27% of large enterprises.

Device Smartphones Tablets

Small Orgs (Up to 99 employees) 40% 28%

Large Orgs (1,000+ employees) 27% 16%

2012 Osterman Research, Inc.

Practical Steps Toward Ensuring Compliance in a BYOD World

The widespread nature of BYOD is also borne out by other research organizations. For example: An Aberdeen Group study found that 75% of companies permit BYODi. A Research and Markets study found that 65% of enterprises worldwide will adopt BYOD to some extent by the end of 2012ii. Some companies are migrating to a completely BYOD approach, such as Cisco, where 100% of all mobile devices are provided by employees and not the company itselfiii. Equanet reports that 71% of tablets used in a business setting are employeeownediv.

CRITICAL PROBLEMS WITH BYOD

There are a number of problems associated with the unmanaged use of personally owned devices in a corporate context: Regulatory requirements can be violated A key issue is firms registered with FINRA and the SEC are required to archive and monitor communications via smartphone. For example, FINRA Regulatory Notice 07-59v states a firm should consider, prior to implementing new or different methods of communication, the impact on the firms supervisory system, particularly any updates or changes to the firms supervisory policies and procedures that might be necessary. In this way, firms can identify and timely address any issues that may accompany the adoption of new electronic communications technologies. In the United Kingdom, the Financial Service Authority (FSA) issued Policy Statement 08/1 that requires recording of both voice and electronic communications in the context of public and enterprise instant messaging solutions. A mix of corporate and personal data BYOD adds significant complication to corporate data management because personally owned devices contain a mixture of corporate data, such as email and application data, and personal data like photos and Facebook posts. This situation creates a number of challenges for IT departments focused on the legality of searching through personal content for corporate information, employee privacy rights, and just the sheer logistics of managing data on mobile devices. An increased likelihood of data breaches BYOD can increase the likelihood that sensitive or confidential corporate information will be breached. Researchers in a UK-based study acquired 49 mobile devices that had been resold through secondary markets; forensic examination of the devices resulted in the discovery of information on every device and a total of more than 11,000 pieces of information collectively from all of the devicesvi. An inability to remotely wipe devices Most personally owned devices cannot be remotely wiped if they are lost, leading to a much greater likelihood of data breaches and loss of intellectual property. In organizations with at least 100 employees, we found that 69% of companyowned smartphones can be remotely wiped if they are lost, but only 24% of personally owned smartphones can be wiped. Similarly, 54% of company-owned tablets can be remotely wiped versus only 21% of personally owned tablets. Lack of outbound content filtering The use of personally owned devices will normally bypass outbound content filtering systems, resulting in potentially more violations of corporate and

Data on personally owned devices is more difficult to archive because some of it is stored on the mobile devices themselves, not necessarily on the backend servers that are operated by IT.

2012 Osterman Research, Inc.

Practical Steps Toward Ensuring Compliance in a BYOD World

regulatory policies focused on encrypting sensitive content or preventing disclosure of confidential information. Malware incursion Personally owned devices used to create, access and store corporate data will typically bypass inbound content filtering systems that have been deployed by IT. One result of this is a potentially greater likelihood for malware intrusion. Osterman Research found that 44% of company-owned smartphones and 38% of company-owned tablets can be scanned for malware; the figures for personally owned smartphones and tablets are dramatically lower at 10% and 9%, respectively.

IT DEPARTMENTS DO NOT HAVE THE CONTROL THEY HAVE WITH TRADITIONAL SYSTEMS

There are a growing number of challenges that IT departments face when attempting to manage personally owned mobile devices, not least of which is the fact that IT typically can exercise less control over how these devices are used. Here are a number of issues: Archiving is much more difficult Data on personally owned devices is more difficult to archive because some of it is stored on the mobile devices themselves, not necessarily on the backend servers that are operated by IT. Monitoring content is more difficult Monitoring content sent from and received by mobile devices is much more difficult than it is from a conventional desktop infrastructure. Because various types of communications must be closely monitored in financial services, energy, healthcare and other industries, users on mobile devices represent a significant liability simply because their content cannot be easily monitored. This means that legal and regulatory violations are easier to commit, which can lead to adverse legal judgments and regulatory sanctions. Users are more autonomous Mobile users tend to be more independent from ITs control because they are outside of the office and so IT cannot control how devices are used. Users will often connect to carrier-provided networks to access the Web or email, they will connect to local Wi-Fi hotspots in coffee shops and hotels, and so forth. The result is that IT does not control their users mobile Web or email experience to nearly the same degree as when users are in an office environment. Compliance is more difficult According to an Osterman Research survey, nearly two in five organizations finds managing policies for e-discovery or regulatory compliance to be difficult or very difficult, while 35% find managing other types of policies to be this difficult. Managing mobile policies for issues like e-discovery and regulatory compliance is slightly more difficult than managing other types of policies. Larger organizations, in particular, have a more difficult time with compliance and ediscovery policies. The survey found that nearly one-half of respondents indicated that managing such policies were either difficult or very difficult. The environment is more diverse The normal desktop infrastructure consists of mostly Windows machines and possibly some Macs and maybe a few Linux machines. The typical BYOD environment, on the other hand, is much more diverse, typically consisting of iPhones, Android smartphones, iPads, Windows phones, BlackBerry devices, and other platforms. Further complicating the management of this environment is that there are multiple versions of the operating systems in use, each of which can provide users with slightly different capabilities.

It is vital that IT be able to manage content properly. This includes not only traditional forms of communication like email, but also social media posts, instant messages, text messages and even voice communications.

2012 Osterman Research, Inc.

Practical Steps Toward Ensuring Compliance in a BYOD World

CONTENT MUST BE MANAGED PROPERLY

Personally owned smartphones and tablets contain a significant proportion of corporate data. Osterman Research has found that more than five percent of corporate data is stored just on users smartphones we expect this figure to soar during the next 24 months as iPads and other tablets are employed in much larger numbers. Employee-owned and controlled devices make access to this data by corporate IT or compliance departments much more difficult, such as during an eDiscovery exercise. This is not only because of the difficulty that might be encountered in physically accessing these devices, but also because of the potential privacy and other legal issues that are raised by companies accessing their employees personal property. It is vital that IT be able to manage content properly. This includes not only traditional forms of communication like email, but also text messages, instant messages, social media and even voice communications. From a practical standpoint, ITs insight into what data is available on personally owned mobile devices becomes more difficult when devices and the corporate proprietary information on them is under the sole control of the employees. This is particularly problematic for legal counsel and others that must assess the information that the organization has available to it during e-Discovery, early case assessments, legal holds and similar types of litigation-related activities. Moreover, the likelihood of spoliation of content stored on personally owned devices is much greater simply because it is not controlled by the IT or compliance department. Add to this the problem of corporate e-Discovery revealing employees personal information, as well as the opposite problem of corporate data being revealed when employees are involved in personal litigation. With regard to legal holds i.e., when data that might be required in a legal action must be held back from the normal deletion cycle or from users arbitrary deletion it is imperative that an organization immediately be able to retain all relevant data, such as emails, SMS/text messages and instant messaging chats sent from senior managers to specific individuals or clients. Placing a hold on data when stored on personally owned devices may be more difficult than it is for traditional systems and much more difficult when it is located on devices that are under the control and ownership of individual employees.

THE ULTIMATE GOAL SHOULD BE TO MITIGATE RISK

The bottom line is that organizations must mitigate the risks associated with BYOD to the greatest extent possible. This means that organizations must do three basic things: Increase the level of control they exercise over personally owned devices and modes of communication when used for organizational purposes. This control must be focused on protecting the organization from regulatory, legal and other problems that can arise when personally owned tools are used outside of the direct control of IT. Archive all relevant communications and other content on personally owned devices in the same way that content is archived on employer-supplied devices. Monitor communications and content to ensure that corporate policies are followed, regardless of the platform that an employee uses to do their work. Moreover, there needs to be consistency between the policies applied to employees desktop experience and those on their mobile devices in other words, corporate policy management should not be different based solely on the device that an employee chooses to use.

Organizations must archive all relevant communications and other content on personally owned devices in the same way that content is archived on employersupplied devices.

2012 Osterman Research, Inc.

Practical Steps Toward Ensuring Compliance in a BYOD World

WHAT SHOULD ORGANIZATIONS DO?

DONT TRY TO STIFLE BYOD
Many decision makers, when faced with the growing number and severity problems associated with BYOD, may decide that the practice should be stopped through corporate edict. For example, implementing draconian controls that will all but eliminate or at least attempt to eliminate the use of personally owned devices and employee-managed applications for work-related purposes may be viewed as one solution to the BYOD problem. While some decision makers may adopt this approach to protect corporate data assets or reduce the potential for malware infiltration, there are three reasons to opt for more open, rather than more restrictive, BYOD-related attitudes: Draconian controls will probably not be successful When face with a corporate edict to eliminate use of personal devices or applications, many employees will do so under the radar, particularly the growing proportion of employees who work from home at least one day per week. For organizations that opt to lean toward eliminating consumer-grade options, an easy-to-use, secure and IT-sanctioned alternative must be provided. Employee productivity will suffer It is also important to understand that the vast majority of employees do not use their own devices or applications simply for the fun of it they are doing so to be more productive, to bypass IT restrictions (e.g., email file-size limits) that prevent them from being effective in their work, or because they have found a way to be more efficient at no charge to their employer. To issue an edict that prevents employees from using these tools will likely be counterproductive to the interests of both management and employees. Improved competitive advantage As a corollary to the point above, the use of personally owned mobile devices can significantly improve an organizations competitive edge by making employees more responsive and more available to customers, co-workers, business partners and others. This can provide a significant advantage in some cases compared to the status quo of waiting to come into the office the next morning to respond to customer inquiries, etc.

UNDERSTAND THE REQUIREMENTS

There are a number of obligations that firms in the financial services and other heavily regulated industries must satisfy with regard to text message monitoring and retention and protection of content, including: SEC Rule 17a-3: requires production of records SEC Rule 17a-4: requires retention of records FINRA Rules 3010, 3113: requires supervision and retention of records Investment Advisers Act Rule 204(2) requires maintenance of records FINRA Regulatory Notice 11-39: provides guidance for use of personally owned devices that contain corporate information. FINRA Regulatory Notice 10-06: provides guidance for use of Web 2.0 FINRA Regulatory Notice 10-59: requires encryption of content on portable media devices FINRA Regulatory Notice 07-59: provides guidance for review and supervision of electronic communications

There are a number of obligations that firms in the financial services and other heavily regulated industries must satisfy with regard to monitoring and retention and protection of content.

2012 Osterman Research, Inc.

Practical Steps Toward Ensuring Compliance in a BYOD World

The Health Insurance Portability and Accountability Act (HIPAA) requires Protected Health Information (PHI) to be sent securely to prevent its access by unauthorized parties. Sarbanes-Oxley, which applies to most publicly owned corporations, imposes a variety of requirements for retention of content, such as communications between senior executives, auditors and others involved in managing financial and other corporate records. FERC Order 717: requires retention of various types of communication, including instant messaging, for five years. FERC Part 125: imposes retention periods for records maintained by public utilities and others.

In addition to these, there are a variety of other requirements that focus on the monitoring, retention and/or production of data, including the Gramm-Leach-Bliley Act, various data breach laws in 46 of the 50 US states, and the Federal Rules of Civil Procedure. Moreover, individual states have their own procedures for managing civil litigation, many of which have been updated to reflect the growing quantity of electronic information that organizations manage.

IMPLEMENT POLICIES

It is critically important that organizations faced with the BYOD problem implement policies that are focused on acceptable use of devices and applications, perhaps creating a list of approved devices, operating systems, applications and other personally owned or managed solutions. These policies should be detailed and thorough, and should be included as part of an organizations overall acceptable use policies that are focused on use of corporate computing resources. A key element of these policies as they apply to mobile devices should be that: All communication on the mobile device such as SMS/text messaging should be monitored and archived as per guidance issued by FINRA in Regulatory Notice 07-591. All devices in use can be remotely wiped by the IT department in the event of their loss. All devices that contain corporate content should be encrypted to prevent the loss of sensitive data or intellectual property. Corporate policies focused on employee-managed applications should include requirements for the encryption of data if stored in a third partys cloud data center.

IMPLEMENT THE RIGHT TECHNOLOGIES

It is critically important that organizations faced with the BYOD problem implement policies that are focused on acceptable use of devices and applications, perhaps creating a list of approved devices, operating systems, applications and other personally owned or managed solutions.

Although enabling BYOD and implementing appropriate policies are important, it is essential that organizations also deploy the appropriate technologies that will enable IT departments to monitor the use of mobile devices when used for work-related purposes and to archive the content stored on them. Any technology employed for text message monitoring, archiving or otherwise managing the use of mobile devices should satisfy a number of criteria: It should enable the use of personally owned mobile devices with as little interruption to the normal operation of these devices as possible. Solutions must be designed for the platforms that users employ most often, namely Android, BlackBerry and iPhone devices.
http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p037553.pdf

2012 Osterman Research, Inc.

Practical Steps Toward Ensuring Compliance in a BYOD World

It should enable IT departments to archive and monitor all relevant content for purposes of regulatory compliance, legal obligations and other purposes. This should include email, text messages, instant messages and other content. It is important to the note that the iPhone is somewhat more difficult to monitor because of Apples primary focus on the consumer. It should enable the search and retrieval of content on mobile devices easily. Organizations should consider using a mobile device management system in order to manage applications and wipe or lock devices that are lost or stolen. It should enable the information on the mobile devices to be encrypted. It should not impose a significant cost for IT and should impose only a minimal requirement on ITs management requirements.

SUMMARY
The BYOD phenomenon is here to stay: employees are increasingly opting to use the latest and greatest smartphones and tablets and they are willing to pay for these devices themselves. While this can provide some immediate benefit to IT departments that do not have to pay for these devices, there are serious consequences that can result, including violation of regulatory and legal obligations to monitor communications, archive corporate content, encrypt content, and otherwise manage how corporate data is sent, received and stored. To mitigate these risks, every organization should implement the appropriate policies and technologies that can satisfy their regulatory and legal obligations, and at the same time enable the use of personally owned devices for work-related purposes.

ABOUT MOBILEGUARD
MobileGuard is the leading provider of mobile communication monitoring and archiving solutions which ensures compliance with the rules and mobile regulations of all relevant regulatory bodies. MobileGuards Mobile Compliance solutions provide SMS monitoring, capturing, logging, archiving, management, supervision and alerting of all communication on company mobile devices. The MobileGuard solutions are: MessageGuard - Provides a complete solution for the capture, monitoring, and archiving of SMS, MMS, IM, BlackBerry Messenger and BlackBerry PIN-to-PIN messages sent from mobile devices. All text messages are identified, collected, and archived in a format that is easily accessible, allowing companies to establish meaningful internal compliance policies regarding mobile devices and to meet compliance mandates from all relevant regulatory agencies. MessageGuard presently supports Android, Blackberry and Windows Mobile operating systems and is available as a hosted or on-premises solution. VoiceGuard - Enables companies to record and archive call conversations and voice mails from mobile devices, providing a compliance and risk management solution for your mobile workforce. The recording of mobile voice calls is a mandatory FSA regulation and compliance is a logical next step in the regulatory process. Utilizing the VoiceGuard solution as a core business practice demonstrates good governance, particularly in areas where client transactions are conducted by phone. With VoiceGuard, all calls can be quickly retrieved and replayed to protect your business operations from potential false claims, interpretations, or misrepresentation. SafeChat - Provides enterprises with a secure chat application for employees iPhones and other mobile devices so company instant messaging may be monitored and archived. The SafeChat solution lowers the risk of compromised data, as well as

Although enabling BYOD and implementing appropriate policies are important, it is essential that organizations also deploy the appropriate technologies that will enable IT departments to monitor the use of mobile devices when used for work-related purposes and to archive the content stored on them.

2012 Osterman Research, Inc.

Practical Steps Toward Ensuring Compliance in a BYOD World

helps companys meet regulatory requirements. SafeChat securely captures images, spreadsheets, PDFs and other files so sensitive information remains proprietary. DeviceGuard - Presents companies with the ability to manage employees mobile devices through a secure administrative console. Setting corporate policy, preventing security breaches, policy controls, user provisioning and remote wipe/lock are some of the functionalities for securing the mobile workforce. The DeviceGuard management solution gives employers control over devices so loss of data and/or malicious applications cannot infiltrate your enterprise network. DeviceGuard will be released 2Q2013. All of the captured text, chat and voice information is available for review on MobileGuards Administrative console, which has robust monitoring, archiving and search capabilities. Enterprises can set automatic flagging of messages for compliance and supervisory review based upon message content, recipients, and/or senders. Our advanced search capabilities allow for quick and efficient retrieval of messages. With the administration console, managers of enterprise IT departments have an immediate web-based interface for the end users of mobile devices, which provides a single point of reporting for each mobile device. This console can provide real-time SMS/MMS messages, call logs, policy alerts, device/employee information and device location for each device. In addition, MobileGuard supports ad reporting delivered on demand for audit and e-discovery. All of MobileGuards solutions are easily integrated with a companys email archiving service so that all collected information is available in one central location. For more information, contact MobileGuard at: MobileGuard 1375 Broadway, Suite 600 New York, NY 10018 Phone: 646-536-5559 Email: Info@MobileGuard.com Website: www.MobileGuard.com

2012 Osterman Research, Inc.

Practical Steps Toward Ensuring Compliance in a BYOD World

2012 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the readers compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.
i ii iii

iv v

vi

http://www.xigo.com/byod/ http://www.researchandmarkets.com/research/pwsr9h/bring_your_own_dev http://www.zdnet.com/blog/sybase/cisco-the-biggest-mobile-byod-deploymentaround-slides/2671 http://www.equanet.co.uk/cms/apple/ipad-in-business/bring-your-own-device.html http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/ p037553.pdf Electronic Retention: What Does Your Mobile Phone Reveal About You? http://EzineArticles.com/7068075

2012 Osterman Research, Inc.