Allowing employees to use their own personal devices for work is a stupid idea for all SEC registered firms.
I’m not here to sell you a solution. There isn’t one. This is just the opinion of someone who has worn the CCO and COO hat for years, and now works as an ethical hacker having performed over 200 security audits and penetration tests against SEC registered firms.
TLDR: Do not allow a BYOD policy at your firm.
The first thing I hear from CCO’s is “But our MSP (Managed Service Provider) has set up a MDM (Mobile Device Management) solution.”
My answer is always, “No, your MSP sold you on an MDM solution that doesn’t solve your compliance obligations.”
MDM software can help with most of the issues below, but I have yet to see one that is cut out to pull the compliance requirements of SEC-registered firms in a compliant way. For you legal nerds out there, we are looking at Advisers Act Rule 204-2 (Books and Records Rule) and 206(4)-7 (Compliance Rule) in terms of maintaining compliant communications records. 206(4)-9 will also touch on this when it hits the books April 2023.
If your SEC-registered firm decides to allow employees to use their personal mobile devices for work purposes, you should be aware of the following risks:
1. Data theft
If you allow your personnel to use their own devices unchecked, likely, some of the personal programs they use will not be as stringent with security standards. An account they have for personal usage may eventually lead to corporate data and sensitive information being revealed if it is hacked.
2. Malware
Employees use personal devices to download various types of information and files, such as PDF, applications, and um….Porn. Corporate data security is at risk if employees aren’t able to discern between work-related and personal data. Games and porn downloaded or viewed with mobile devices are often associated with hidden viruses or malware, for example. If an employee logs into the company network from their infected device, the entire system could be jeopardized by passing along the malware to work systems.
3. Legal problems
A business’s reputation may be destroyed in the event of a security breach. If an employee-owned device results in a leak or breach of corporate data, this might result in serious consequences, such as potential litigation.
Working with legal counsel to develop sound policies is crucial for protecting your organization from costly and potentially devastating lawsuits, especially if you decide to allow a BYOD policy.
4. Lost or stolen devices
The best-case situation is that a worker’s device gets stolen or goes missing, and this is inconvenient. In the worst-case scenario, you’re dealing with a catastrophic disaster. Loss or theft of the employee’s device might result in a major breach if they weren’t following corporate security standards when using it. For example, the employee may store their passwords (both personal and business) in an unsecured notes program, making it easy for someone who obtains the device to breach corporate accounts.
Even if the employee followed the policy to the letter, hacking/cracking technology has advanced so much in recent years that a strong password or fingerprint verification may not be enough to keep them out of the device. Mobile device management (MDM) software might help businesses solve this issue by allowing them to remotely erase devices so hackers don’t have a chance to steal sensitive data. On the other hand, MDM software is extremely invasive to an employees privacy (See #8)
5. Improper mobile management
A staff member leaving an organization creates a potential security vulnerability if they still have access to company data on their personal mobile devices. To prevent an employee from continuing to access systems or apps after they leave the company, companies must be able to reset passwords and revoke access immediately. If a security breach does occur, tracking down the device responsible should also be possible. If you just fired an employee, do you think they would be willing to cooperate? Hell no.
6. Insufficient employee training
Many security breaches are caused by carelessness or human error. Most of the time, this occurs when an employee is unaware of their company’s policy on security, especially regarding devices. When you’re training employees in device security, think about the best way to communicate the information to them. If you need a training program, I highly recommend you check out free training program called FieldCraft. It is compliant with SEC and FINRA regulations and we offer a no BS-attached free version available to firms with less than 10 employees.
7. Shadow IT
Shadow IT is where company employees use technology that is not approved or managed by the company’s IT department, and it is becoming a big problem in many businesses. When employees bring in consumer-grade technologies and goods without the supervision or management of their IT department or MSP, a slew of issues can result. Any software or hardware an employee introduces without your review or approval poses a potential hazard, whether it’s a USB drive with potential malware on it or an open-source program with low-security standards.
8. Invasion of Privacy
If you are an SEC-registered business, you must keep track and record all communications with clients. If you allow your employees to text message your clients, you must monitor all of their text message conversations. There is no automated method for telling whether an employee’s text message communication is intended for a friend or family member vs a client. As a result, you must keep track of them all. No, thanks.