CIO Summit: Lawyer navigates BYOD software minefield
- 25 October, 2012 12:46
Arvind Dixit, senior associate at Corrs Chambers Westgarth
Organisations implementing bring-your-own-device (BYOD) initiatives often forget to consider if their software licence agreements are broad enough to cover devices under their programs, according to a technology lawyer.
Speaking at the CIO Summit in Melbourne on Tuesday, Arvind Dixit, senior associate at Corrs Chambers Westgarth, claimed this is one of the most “common pitfalls” when implementing BYOD programs.
Some companies are also failing to determine if their employees have sufficient rights to use applications on their personal devices for commercial purposes.
“You need to review your licensing arrangements to ensure that the use of BYOD technologies is not going to breach the licensing arrangements that you have in place with third parties,” Dixit told attendees.
“Obviously the aim here is trying to avoid exceeding the scope of your existing licenses so that you don’t get hit with a large bill down the track.”
Dixit said that organisations must determine if existing agreements allow for use of the software on devices that aren’t owned by the company.
“This might impact on which applications you decide to make available as part of your BYOD program,” he said. “Economically, it might make sense to make your email applications available but not your document management or customer relationship management systems as a result of licensing restrictions.”
IT departments also need to consider the nature of the license for the BYOD software that is running the program inside their organisations, he said.
“Is it [the software] limited to one device for user or can a single user have multiple devices?” he asked.
“The latter is preferable so I can keep my phone, laptop and iPad [connected] to the [network]. But that’s not always the base position because it makes it difficult for vendors to manage security threats.”
Risk of copyright infringement
Dixit warned that if employees don’t have the right to use software on their personal devices for work purposes, their employer could be exposed to potential copyright infringement claims by allowing staff to use software without the appropriate licences.
“The way to minimise this risk is to make sure that your [BYOD] policy doesn’t permit employees to use software that they have purchased or downloaded for personal use for the purpose of performing work for your organisation.”
Mitigating security and support risks
According to Dixit, employees will work out way to circumvent security measures around BYOD programs regardless of whether their employer has a formal BYOD program in place.
“This inherently exposes your organisation to a risk profile without you even knowing it,” he said. “[BYOD] policies give you the tools you need to take appropriate steps if issues arise around data security and loss.”
He said BYOD policies need to outline security measures such as how security breaches will be managed, whether the organisation can remotely wipe all corporate data from a personal device down to how many password attempts should be allowed before access is blocked.
“An employee also needs to be aware that by bringing their device and logging into the corporate network they are accepting a level of risk which they might not otherwise take on board,” he said.
He said a BYOD policy clearly needs to articulate how liability is being apportioned between the individual and the company.
“For example, who will be responsible for lost or stolen devices and who is responsible in the case of malware or virus attacks?”
Dixit told also attendees that device support is “probably one of the most problematic areas” because the expectations between the employee and employer when it comes to supporting BYOD devices is often “wildly different.”
He said organisations need to determine whether IT staff are responsible for connecting each employee’s device to the network and supporting that device if something goes wrong.
“There’s no real fixed answer to these questions under the law and it may be different from organisation to organisation,” he said.
“The important thing to keep in mind is that you have to think through these issues and cover them off in your policy so there’s no ambiguity down the track if one of these issues arises.”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Mobile Load - Performance Testing for Mobile Applications
Key mobile trends and analysis on how performance testers must change their testing methodologies to ensure they are accounting for the changes caused by mobile usage. Download today.
Six Reasons to Empower Your SharePoint Citizen Developers
More and more business applications are being created by “citizen developers” - end users who are not IT developers but who create solutions for themselves and their groups. This white paper explores six reasons to embrace citizen development in an intelligent way that minimises risks and maximises the return on your SharePoint investment. Read now.
Advanced Malware Exposed
This handbook shines a light on the dark corners of advanced malware, both to educate as well as to spark renewed efforts against these stealthy and persistent threats. By understanding the tools being used by criminals, we can better defend our nations, our critical infrastructures and our citizens. This ebook will provide readers with a new understanding of the rapidly developing cyber threat landscape and practical insights into how they can protect their data and computing infrastructures. Download now.