Data commingling. We all hear stories about someone accidentally putting private company data on to their spouse's BYOD device. All the user did was let the other spouse plug into their laptop's USB connection to charge up, and lo and behold, they synchronized their company's data with their personal data.
Or how about a company managing a device when the item contains both corporate and personal data? If the device is owned by the user and contains both types of data, how can the company be assured that its controls won't deny access or wipe personal data when it was trying to control business data?
Legal questions. This leads us to legal questions that have yet to be answered. Every BYOD project I've been involved with comes up with good legal inquiries that leave everyone in the room shaking their heads. If you don't have a legal team involved in your BYOD project, now's the time.
Another related legal issue is jurisdiction. Suppose your BYOD employee takes your data to a jurisdiction that doesn't have the same data protection and privacy laws as your region. Many times at a country's borders (this applies to the United States as well), your constitutional rights and normal data protection laws do not apply. Don't agree? Then you don't get to enter that country or even reenter your own country.
People don't care about BYOD security
My last major issue with BYOD devices is that many of the people who own and want those devices just don't care about the security issues. They don't care about the privacy issues, losing their identity (the bank will fix everything -- they think), and the company's data is the company's problem.
If you want to see what I mean, suggest imposing the same password policy you have for the company's normal computers on the BYOD item. Most BYOD users want four-character PINs, no complexity, or simple finger swipes. News flash: An l-shaped finger swipe can be easily guessed. A client's employee was logging onto the first picture-swipe password protection slate I saw when someone across the room, without a direct line of sight, came over and told him his exact motions. I was floored -- I've never seen it done so easily with a PIN or password.
Did that employee change the log-on method? Of course not. And he works in computer security. He didn't even change the swipe motion. Many people don't care about computer security, and BYOD is making it worse.
BYOD scares me. But tune in next week I'll tell you my BYOD solution.
This story, "Why BYOD scares me," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.