Policy should help employees recognize and protect sensitive information, which often varies depending on the medium, Williams says. For example, it might not even be one's own employees committing a violation. Maybe a partner announces a new agreement and releases details that are sensitive on its own site. So what partners can or cannot disseminate must be spelled out in contractual agreements.
Unprotected communications could also mean broadcasting mistakes that impact the business, spawning a PR disaster or even a lawsuit. There have been cases where published mistakes have changed the value of a stock price, says Cathy Hotka, whose business, Hotka and Associates, advises large retail CIOs on social marketing and privacy issues.
In the retail sector, most corporations take a centralized approach to controlling their communications over Web 2.0 mediums, Hotka says.
“Most retailers would rather keep one unified online presence managed by the corporation, rather than letting their individual stores have their own web presence,” Hotka says. “However, retailers are now looking at employee-owned devices to outreach directly to local customers for specials and follow-up, which could become beacon points.”
No matter how good the policy or contract, personal devices and their connections to their web applications are outside the direct control of their employers, which is why so many organizations are not even through the policy stage, let alone the education process, Miles says. However, even when a solid use policy does exist, it is only as effective as the staff's willingness to follow it, he adds.
This is especially true with the young, emerging workforce, according to the “Cisco Connected World Technology Report,” released in December, which surveyed more than 2,800 young workers and college students in 14 countries.
Of those respondents who were employed, seven of every 10 went around IT policy with troubling regularity. They either thought they weren't doing anything wrong or believed they couldn't get their job done without accessing personal resources. The majority (61 percent) also felt that their carriers or IT departments were responsible for securing data downloaded to their devices.
“This survey shows the shift in user belief surrounding their right to choose their own devices, their interconnectedness, and their more open views on privacy,” says Mary Landesman (left), senior security researcher for Cisco. “Unfortunately, it also shows the complex issues organizations are facing in terms of their sensitive data management.”
As in the case of RSA, organizations can shut down access to social networks. RSA later restored this access, but only for use over employees' own personal devices. For those wanting access to email and other sanctioned applications on their devices, RSA engineered a dynamic virtual desktop infrastructure (VDI) using VMware View so users could get to specified apps from their devices, but not actually transfer any data to or from their devices in the process.