Two documents crossed my desk this week – a survey and a “planning guide” – which fit nicely with two recent papers from KuppingerCole, illustrating a need and (unknowingly) confirming our conclusions.
The first is about the current buzzword acronym BYOD (for “Bring Your Own Device”) which my colleague Martin Kuppinger just released an advisory note about (“today it’s almost exclusively mobile devices - smartphones, tablets, ‘phablets,’ etc. - that are referred to with BYOD: a focus that is too narrow...”) but which appears to be with us at least for the near term. The new piece is a survey, commissioned by a group of Cisco partner firms led by Pine Cove (based in Billings, MT).
For this study, The group of Cisco partner firms used a randomized online sampling of full-time American workers. The group analyzed 1,000 responses. The survey population for Americans employed full-time who own a smartphone is roughly 53 million, according to the Bureau of Labor Statistics and the Pew Internet & American Life project. The margin of error of the study is 3 percent.
Among the interesting findings of the study:
- 62% of U.S. employees who use their own smartphone for work do so everyday;
- 92% of U.S. employees who use their smartphones for work did so this week;
- Only 1 in 10 workers get some kind of work stipend for their smartphone;
- 39% of workers who use personal smartphones for work don’t password protect them;
- 52% access unsecured wifi networks;
- 69% of BYODers are expected to access work emails after hours.
The bottom line, though, is that IT departments should not still be discussing whether or not to support BYOD – the devices are going to be used either way. If IT is going to serve the enterprise and protect it’s resources then IT needs to quickly develop additions to their end-point management plan which covers smart devices and also quickly develop policies to bring these devices into the Information Stewardship practice of the organization.
And speaking of Information Stewardship, I just released a white paper called Using Information Stewardship within Government to Protect PII, an offshoot of the advisory note From Data Leakage Prevention (DLP) to Information Stewardship released last fall by my colleague Mike Small and myself. But what excited me was a guide written for The Online Trust Alliance (OTA) called the 2013 Data Protection & Breach Readiness Guide.
The OTA describes its mission as “to enhance online trust and the protection of users' security, privacy and identity, while promoting innovation and the vitality of the Internet.”
One caveat when viewing the report: the OTA still uses the term “data” where we at KuppingerCole prefer “Information”. As we’ve said, “Loss or leakage of data is not necessarily a loss of information – understanding the difference between data and information is important to ensure protection.” Data might simply be a list of passwords. As such, it’s no more useful than a dictionary. But a list of usernames AND passwords – that’s information, and that could be a problem should it be leaked into the wild. So, if you read the OTA report, remember that when they speak of data they really mean information.
I bring this up because a large part of the report deals with what the OTA calls “Data Lifecycle Management & Stewardship.” As the report notes:
“OTA advocates the need to create a data lifecycle strategy and incident response plan, evaluating data from acquisition through use, storage and destruction. A key to successful data lifecycle management is balancing regulatory requirements with business needs and consumer expectations. Success is moving from a perspective of compliance, the minimum of requirements, to one of stewardship where companies meet the expectations of consumers.”Of course, this is exactly what Mike and I outlined as good Information Stewardship.
Further, the report bolsters some of our own conclusions when it notes that “Businesses need to continually evaluate the data through each phase [of the lifecycle] and accept four fundamental truths:
- Privacy and use polices need to be continually reviewed and updated.
- The data they collect includes some form of personally identifiable information (PII).
- If a business collects data it will experience a data loss incident at some point.
- Data stewardship is everyone’s responsibility.
It’s now long past time for analysts and pundits to be telling you that you need an Information Stewardship policy. It’s also long past the time that you need to incorporate smart, mobile devices into your endpoint policies – and not as a separate “BYOD” policy. Your endpoint strategy should cover these devices along with desktop/laptop machines in the office, at home, and “on the road” (i.e., internet cafes).
If you’re a KuppingerCole client, ask your representative how we can help. If you aren’t – why aren’t you? And, either way, be sure to plan on being at EIC 2013, where BYOD and Information Stewardship will feature prominently.