ON
sponsored by
SPON
sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058 USA Tel: +1 253 630 5839 Fax: +1 253 458 0934 info@ostermanresearch.com www.ostermanresearch.com twitter.com/mosterman
EXECUTIVE SUMMARY
One of the most important trends to impact organizations of all sizes but particularly mid-sized and large organizations is for employees to use their own smartphones and tablets to access corporate applications. The Bring Your Own Device (BYOD) trend was started several years ago, normally on a case-by-case basis for senior executives who had personal devices that they wanted supported by IT. Today, BYOD has become widespread and is now a critical issue for IT departments in organizations of all sizes not only because of the number and diversity of devices they must support, but also because of the risks that BYOD creates: The difficulty of satisfying the growing number of regulatory and legal obligations imposed on organizations regardless of the industry. Managing the mix of corporate and personal data contained on personally owned devices. Addressing the greater risk imposed by BYOD, such as compliance violations and data breaches when devices are lost, policy violations when outbound content is not filtered, and the greater likelihood of malware entering the corporate network.
As a result, organizations must mitigate the risk associated with the growing trend toward BYOD by implementing appropriate policies and deploying technologies that will address the specific problems created by BYOD.
This white paper was sponsored by MobileGuard information about the company is provided at the end of this document.
We found that personally owned smartphones are used in 40% of small organizations, in 32% of mid-sized organizations, and in 27% of large enterprises.
The widespread nature of BYOD is also borne out by other research organizations. For example: An Aberdeen Group study found that 75% of companies permit BYODi. A Research and Markets study found that 65% of enterprises worldwide will adopt BYOD to some extent by the end of 2012ii. Some companies are migrating to a completely BYOD approach, such as Cisco, where 100% of all mobile devices are provided by employees and not the company itselfiii. Equanet reports that 71% of tablets used in a business setting are employeeownediv.
There are a number of problems associated with the unmanaged use of personally owned devices in a corporate context: Regulatory requirements can be violated A key issue is firms registered with FINRA and the SEC are required to archive and monitor communications via smartphone. For example, FINRA Regulatory Notice 07-59v states a firm should consider, prior to implementing new or different methods of communication, the impact on the firms supervisory system, particularly any updates or changes to the firms supervisory policies and procedures that might be necessary. In this way, firms can identify and timely address any issues that may accompany the adoption of new electronic communications technologies. In the United Kingdom, the Financial Service Authority (FSA) issued Policy Statement 08/1 that requires recording of both voice and electronic communications in the context of public and enterprise instant messaging solutions. A mix of corporate and personal data BYOD adds significant complication to corporate data management because personally owned devices contain a mixture of corporate data, such as email and application data, and personal data like photos and Facebook posts. This situation creates a number of challenges for IT departments focused on the legality of searching through personal content for corporate information, employee privacy rights, and just the sheer logistics of managing data on mobile devices. An increased likelihood of data breaches BYOD can increase the likelihood that sensitive or confidential corporate information will be breached. Researchers in a UK-based study acquired 49 mobile devices that had been resold through secondary markets; forensic examination of the devices resulted in the discovery of information on every device and a total of more than 11,000 pieces of information collectively from all of the devicesvi. An inability to remotely wipe devices Most personally owned devices cannot be remotely wiped if they are lost, leading to a much greater likelihood of data breaches and loss of intellectual property. In organizations with at least 100 employees, we found that 69% of companyowned smartphones can be remotely wiped if they are lost, but only 24% of personally owned smartphones can be wiped. Similarly, 54% of company-owned tablets can be remotely wiped versus only 21% of personally owned tablets. Lack of outbound content filtering The use of personally owned devices will normally bypass outbound content filtering systems, resulting in potentially more violations of corporate and
Data on personally owned devices is more difficult to archive because some of it is stored on the mobile devices themselves, not necessarily on the backend servers that are operated by IT.
regulatory policies focused on encrypting sensitive content or preventing disclosure of confidential information. Malware incursion Personally owned devices used to create, access and store corporate data will typically bypass inbound content filtering systems that have been deployed by IT. One result of this is a potentially greater likelihood for malware intrusion. Osterman Research found that 44% of company-owned smartphones and 38% of company-owned tablets can be scanned for malware; the figures for personally owned smartphones and tablets are dramatically lower at 10% and 9%, respectively.
IT DEPARTMENTS DO NOT HAVE THE CONTROL THEY HAVE WITH TRADITIONAL SYSTEMS
There are a growing number of challenges that IT departments face when attempting to manage personally owned mobile devices, not least of which is the fact that IT typically can exercise less control over how these devices are used. Here are a number of issues: Archiving is much more difficult Data on personally owned devices is more difficult to archive because some of it is stored on the mobile devices themselves, not necessarily on the backend servers that are operated by IT. Monitoring content is more difficult Monitoring content sent from and received by mobile devices is much more difficult than it is from a conventional desktop infrastructure. Because various types of communications must be closely monitored in financial services, energy, healthcare and other industries, users on mobile devices represent a significant liability simply because their content cannot be easily monitored. This means that legal and regulatory violations are easier to commit, which can lead to adverse legal judgments and regulatory sanctions. Users are more autonomous Mobile users tend to be more independent from ITs control because they are outside of the office and so IT cannot control how devices are used. Users will often connect to carrier-provided networks to access the Web or email, they will connect to local Wi-Fi hotspots in coffee shops and hotels, and so forth. The result is that IT does not control their users mobile Web or email experience to nearly the same degree as when users are in an office environment. Compliance is more difficult According to an Osterman Research survey, nearly two in five organizations finds managing policies for e-discovery or regulatory compliance to be difficult or very difficult, while 35% find managing other types of policies to be this difficult. Managing mobile policies for issues like e-discovery and regulatory compliance is slightly more difficult than managing other types of policies. Larger organizations, in particular, have a more difficult time with compliance and ediscovery policies. The survey found that nearly one-half of respondents indicated that managing such policies were either difficult or very difficult. The environment is more diverse The normal desktop infrastructure consists of mostly Windows machines and possibly some Macs and maybe a few Linux machines. The typical BYOD environment, on the other hand, is much more diverse, typically consisting of iPhones, Android smartphones, iPads, Windows phones, BlackBerry devices, and other platforms. Further complicating the management of this environment is that there are multiple versions of the operating systems in use, each of which can provide users with slightly different capabilities.
It is vital that IT be able to manage content properly. This includes not only traditional forms of communication like email, but also social media posts, instant messages, text messages and even voice communications.
Personally owned smartphones and tablets contain a significant proportion of corporate data. Osterman Research has found that more than five percent of corporate data is stored just on users smartphones we expect this figure to soar during the next 24 months as iPads and other tablets are employed in much larger numbers. Employee-owned and controlled devices make access to this data by corporate IT or compliance departments much more difficult, such as during an eDiscovery exercise. This is not only because of the difficulty that might be encountered in physically accessing these devices, but also because of the potential privacy and other legal issues that are raised by companies accessing their employees personal property. It is vital that IT be able to manage content properly. This includes not only traditional forms of communication like email, but also text messages, instant messages, social media and even voice communications. From a practical standpoint, ITs insight into what data is available on personally owned mobile devices becomes more difficult when devices and the corporate proprietary information on them is under the sole control of the employees. This is particularly problematic for legal counsel and others that must assess the information that the organization has available to it during e-Discovery, early case assessments, legal holds and similar types of litigation-related activities. Moreover, the likelihood of spoliation of content stored on personally owned devices is much greater simply because it is not controlled by the IT or compliance department. Add to this the problem of corporate e-Discovery revealing employees personal information, as well as the opposite problem of corporate data being revealed when employees are involved in personal litigation. With regard to legal holds i.e., when data that might be required in a legal action must be held back from the normal deletion cycle or from users arbitrary deletion it is imperative that an organization immediately be able to retain all relevant data, such as emails, SMS/text messages and instant messaging chats sent from senior managers to specific individuals or clients. Placing a hold on data when stored on personally owned devices may be more difficult than it is for traditional systems and much more difficult when it is located on devices that are under the control and ownership of individual employees.
The bottom line is that organizations must mitigate the risks associated with BYOD to the greatest extent possible. This means that organizations must do three basic things: Increase the level of control they exercise over personally owned devices and modes of communication when used for organizational purposes. This control must be focused on protecting the organization from regulatory, legal and other problems that can arise when personally owned tools are used outside of the direct control of IT. Archive all relevant communications and other content on personally owned devices in the same way that content is archived on employer-supplied devices. Monitor communications and content to ensure that corporate policies are followed, regardless of the platform that an employee uses to do their work. Moreover, there needs to be consistency between the policies applied to employees desktop experience and those on their mobile devices in other words, corporate policy management should not be different based solely on the device that an employee chooses to use.
Organizations must archive all relevant communications and other content on personally owned devices in the same way that content is archived on employersupplied devices.
There are a number of obligations that firms in the financial services and other heavily regulated industries must satisfy with regard to text message monitoring and retention and protection of content, including: SEC Rule 17a-3: requires production of records SEC Rule 17a-4: requires retention of records FINRA Rules 3010, 3113: requires supervision and retention of records Investment Advisers Act Rule 204(2) requires maintenance of records FINRA Regulatory Notice 11-39: provides guidance for use of personally owned devices that contain corporate information. FINRA Regulatory Notice 10-06: provides guidance for use of Web 2.0 FINRA Regulatory Notice 10-59: requires encryption of content on portable media devices FINRA Regulatory Notice 07-59: provides guidance for review and supervision of electronic communications
There are a number of obligations that firms in the financial services and other heavily regulated industries must satisfy with regard to monitoring and retention and protection of content.
The Health Insurance Portability and Accountability Act (HIPAA) requires Protected Health Information (PHI) to be sent securely to prevent its access by unauthorized parties. Sarbanes-Oxley, which applies to most publicly owned corporations, imposes a variety of requirements for retention of content, such as communications between senior executives, auditors and others involved in managing financial and other corporate records. FERC Order 717: requires retention of various types of communication, including instant messaging, for five years. FERC Part 125: imposes retention periods for records maintained by public utilities and others.
In addition to these, there are a variety of other requirements that focus on the monitoring, retention and/or production of data, including the Gramm-Leach-Bliley Act, various data breach laws in 46 of the 50 US states, and the Federal Rules of Civil Procedure. Moreover, individual states have their own procedures for managing civil litigation, many of which have been updated to reflect the growing quantity of electronic information that organizations manage.
IMPLEMENT POLICIES
It is critically important that organizations faced with the BYOD problem implement policies that are focused on acceptable use of devices and applications, perhaps creating a list of approved devices, operating systems, applications and other personally owned or managed solutions. These policies should be detailed and thorough, and should be included as part of an organizations overall acceptable use policies that are focused on use of corporate computing resources. A key element of these policies as they apply to mobile devices should be that: All communication on the mobile device such as SMS/text messaging should be monitored and archived as per guidance issued by FINRA in Regulatory Notice 07-591. All devices in use can be remotely wiped by the IT department in the event of their loss. All devices that contain corporate content should be encrypted to prevent the loss of sensitive data or intellectual property. Corporate policies focused on employee-managed applications should include requirements for the encryption of data if stored in a third partys cloud data center.
It is critically important that organizations faced with the BYOD problem implement policies that are focused on acceptable use of devices and applications, perhaps creating a list of approved devices, operating systems, applications and other personally owned or managed solutions.
Although enabling BYOD and implementing appropriate policies are important, it is essential that organizations also deploy the appropriate technologies that will enable IT departments to monitor the use of mobile devices when used for work-related purposes and to archive the content stored on them. Any technology employed for text message monitoring, archiving or otherwise managing the use of mobile devices should satisfy a number of criteria: It should enable the use of personally owned mobile devices with as little interruption to the normal operation of these devices as possible. Solutions must be designed for the platforms that users employ most often, namely Android, BlackBerry and iPhone devices.
http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p037553.pdf
It should enable IT departments to archive and monitor all relevant content for purposes of regulatory compliance, legal obligations and other purposes. This should include email, text messages, instant messages and other content. It is important to the note that the iPhone is somewhat more difficult to monitor because of Apples primary focus on the consumer. It should enable the search and retrieval of content on mobile devices easily. Organizations should consider using a mobile device management system in order to manage applications and wipe or lock devices that are lost or stolen. It should enable the information on the mobile devices to be encrypted. It should not impose a significant cost for IT and should impose only a minimal requirement on ITs management requirements.
SUMMARY
The BYOD phenomenon is here to stay: employees are increasingly opting to use the latest and greatest smartphones and tablets and they are willing to pay for these devices themselves. While this can provide some immediate benefit to IT departments that do not have to pay for these devices, there are serious consequences that can result, including violation of regulatory and legal obligations to monitor communications, archive corporate content, encrypt content, and otherwise manage how corporate data is sent, received and stored. To mitigate these risks, every organization should implement the appropriate policies and technologies that can satisfy their regulatory and legal obligations, and at the same time enable the use of personally owned devices for work-related purposes.
ABOUT MOBILEGUARD
MobileGuard is the leading provider of mobile communication monitoring and archiving solutions which ensures compliance with the rules and mobile regulations of all relevant regulatory bodies. MobileGuards Mobile Compliance solutions provide SMS monitoring, capturing, logging, archiving, management, supervision and alerting of all communication on company mobile devices. The MobileGuard solutions are: MessageGuard - Provides a complete solution for the capture, monitoring, and archiving of SMS, MMS, IM, BlackBerry Messenger and BlackBerry PIN-to-PIN messages sent from mobile devices. All text messages are identified, collected, and archived in a format that is easily accessible, allowing companies to establish meaningful internal compliance policies regarding mobile devices and to meet compliance mandates from all relevant regulatory agencies. MessageGuard presently supports Android, Blackberry and Windows Mobile operating systems and is available as a hosted or on-premises solution. VoiceGuard - Enables companies to record and archive call conversations and voice mails from mobile devices, providing a compliance and risk management solution for your mobile workforce. The recording of mobile voice calls is a mandatory FSA regulation and compliance is a logical next step in the regulatory process. Utilizing the VoiceGuard solution as a core business practice demonstrates good governance, particularly in areas where client transactions are conducted by phone. With VoiceGuard, all calls can be quickly retrieved and replayed to protect your business operations from potential false claims, interpretations, or misrepresentation. SafeChat - Provides enterprises with a secure chat application for employees iPhones and other mobile devices so company instant messaging may be monitored and archived. The SafeChat solution lowers the risk of compromised data, as well as
Although enabling BYOD and implementing appropriate policies are important, it is essential that organizations also deploy the appropriate technologies that will enable IT departments to monitor the use of mobile devices when used for work-related purposes and to archive the content stored on them.
helps companys meet regulatory requirements. SafeChat securely captures images, spreadsheets, PDFs and other files so sensitive information remains proprietary. DeviceGuard - Presents companies with the ability to manage employees mobile devices through a secure administrative console. Setting corporate policy, preventing security breaches, policy controls, user provisioning and remote wipe/lock are some of the functionalities for securing the mobile workforce. The DeviceGuard management solution gives employers control over devices so loss of data and/or malicious applications cannot infiltrate your enterprise network. DeviceGuard will be released 2Q2013. All of the captured text, chat and voice information is available for review on MobileGuards Administrative console, which has robust monitoring, archiving and search capabilities. Enterprises can set automatic flagging of messages for compliance and supervisory review based upon message content, recipients, and/or senders. Our advanced search capabilities allow for quick and efficient retrieval of messages. With the administration console, managers of enterprise IT departments have an immediate web-based interface for the end users of mobile devices, which provides a single point of reporting for each mobile device. This console can provide real-time SMS/MMS messages, call logs, policy alerts, device/employee information and device location for each device. In addition, MobileGuard supports ad reporting delivered on demand for audit and e-discovery. All of MobileGuards solutions are easily integrated with a companys email archiving service so that all collected information is available in one central location. For more information, contact MobileGuard at: MobileGuard 1375 Broadway, Suite 600 New York, NY 10018 Phone: 646-536-5559 Email: Info@MobileGuard.com Website: www.MobileGuard.com
iv v
vi
http://www.xigo.com/byod/ http://www.researchandmarkets.com/research/pwsr9h/bring_your_own_dev http://www.zdnet.com/blog/sybase/cisco-the-biggest-mobile-byod-deploymentaround-slides/2671 http://www.equanet.co.uk/cms/apple/ipad-in-business/bring-your-own-device.html http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/ p037553.pdf Electronic Retention: What Does Your Mobile Phone Reveal About You? http://EzineArticles.com/7068075