Businesses are increasingly encouraging employees to bring their own devices in for use in the workplace, but these ‘bring-your-own technology' schemes throw up a number of legal issues as Graham Hann, technology partner at IT law firm Taylor Wessing, told Computing.
A major stumbling block for bring-your-own technology is the issue of security with inadequate measures leading to a data breach, which of course has legal implications.
By using personal devices for business purposes, employees are mixing their personal emails, address books, photos and other personal data on their personal device with business information. The fact that staff tend to have fewer security controls over their personal data than their business data enhances the risk (where they are mixed) of company data getting into the wrong hands.
Hann believes that in order to counteract this, firms that launch bring-your-own technology schemes should rely more heavily on cloud-based technologies.
"A lot of these schemes will really take off when you've got more of a cloud model. The sensitive data will be carefully managed in this environment, and these devices will communicate securely with the internal servers. If it can work like that, it's actually a real advantage because you can really enhance security as well as drive down cost," said Hann.
Systems integrator Dimension Data added that, in terms of cloud-based applications, the businesses that it works with generally limit themselves to centralised web apps rather than more complex applications that run on their existing desktops, and are then delivered to consumerised devices.
"For the more complex apps, they will have to be delivered through Virtual Desktop Infrastructure (VDI) consoles," explained Kamal Patel, practice manager for professional services and management at Dimension Data.
"Tablets and other small profile devices don't have the capacity to run them from a power or technology perspective. They generally run on Windows, but the form factors taking market share at the moment are the iPad and Android devices."
However, while iPads are becoming more popular in the workplace, they are risky devices to use, according to both Hann and Patel. Hann warned that chief information officers (CIOs) giving their workforce money towards an Apple iPad should consider security concerns carefully, as the devices are inherently less secure than most laptops.
"There is a risk that you would have confidential information – perhaps client-sensitive information – on there, and allowing employees to hold all that information on their devices without the benefit of properly enforced firewalls and so on is quite a risk."
Patel added that IT departments tend to gloss over the problems that Apple's insecure devices pose, by simply wiping all data after use.
"When being asked to do specific things like locking down devices, I don't think the technology on the iPad is advanced enough to allow you to do that. What we are seeing is that as long as IT has a method to wipe those devices, it puts a tick in the box."
Another major legal concern for businesses is the issue of software licensing. When employees bring their own equipment to work, they expect software that they need to use for business purposes, such as Microsoft Outlook or Word, to be provided by the employer, rather than having to buy it off the shelf in a retail store. IT lawyer Hann said that while employers can expect staff to bring in their own hardware, software ought to be provided by the business.
"Anything else would be uneconomical – it is better that software is registered to the employer as a business, rather than each individual," he said.
"If it's not owned by the employer, then that creates a software licensing challenge. Hopefully, the likes of Microsoft will cotton on to this and will adapt their models."
Hann also warned of tax compliance issues that CIOs need to consider when devising schemes to equip staff with their own devices.
"Any scheme that benefits employees will need to be considered as an employee benefit scheme. If you're giving an employee a contribution towards a piece of kit, or giving the kit itself, it's a benefit that gets taxed, so businesses need to think about that."
He also warned that it is important for CIOs to make sure they don't apply the scheme in any discriminatory way. He said that, for example, if a firm made devices available to full-time staff only, but 90 per cent of part-time staff are female, then overlooking part-time staff could be construed as providing a benefit in a way that is discriminatory towards female employees.
"That sort of approach is something employers think about with long-standing schemes such as healthcare benefits, but they might not think quite so carefully when it comes to a new IT-driven scheme," commented Hann.
In spite of a range of security technologies being deployed, devastating thefts of sensitive data continue to occur. Enterprises worldwide are spending approximately $20 billion per year on IT security, yet very costly breaches continue to occur. In large part, this is because security efforts have mainly been focused on network security rather than data privacy. Data privacy is the process of securing critical data as it is being stored, transmitted, and used within the enterprise, whether this be on fixed or mobile devices.
Failure to implement a data privacy solution can have a disastrous effect on an organisation. For years now, the price organisations have paid when breaches become public has been catastrophic. Whether organisations want it to or not, this will have to change, especially given that data is increasingly being transmitted on smartphones and other hand held devices.
Implementing a data privacy solution can be done at multiple places within the enterprise. Choosing the point of implementation not only dictates the work that needs to be done from an integration perspective but also significantly affects the overall security model. A data privacy solution can be executed in four main ways – data encryption from the network perimeter, application-Level encryption, database-level encryption or Storage-Level Encryption (File NAS & SAN).
All of these options vary in terms of security model, yet each provides a level of protection aligned with the potential requirements of an enterprise. A data privacy solution is a comprehensive way to protect enterprises from an increasing number of attacks that are focused on extracting critical data, something which is even more crucial given the number of devices data can now be held on.
Posted by: Rob Ellis, Vice President Sales, EMEA, SafeNet 23 Dec 2010
Have your say on this article
Newsletters
Latest stories from Tablets
You may also like
Tablets jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
