Many companies use "pop-up banners" to help remind employees of the rules and policies governing their systems. These banners are also intended to add a degree of legal protection by noting that the employee has limited rights to privacy when using company computers and networks.
But what if the employee owns the computer? How does BYOD (bring your own device) affect the rights of the employer and employee?
While your employees enjoy the freedoms of BYOD -- whether company supported or not -- this new norm does not mean your network or intellectual property have to be left unprotected.
And it doesn't mean your corporate investigations come to a halt. Encouraging your employees to register their devices for free Wi-Fi and/or company email can not only help protect your data with company-supported encryption, firewalls, etc., but it can also help your investigations by pushing the once untraceable gadget into a corner. As discussed in Use your own Flame spyware for investigations, 4 cheap options to monitor networks for evidence, and How to build your own digital forensics lab - for cheap there are plenty of options to protect and capture data, even on iPhones, tablets and personal computers.
No, the hard part of the equation is creating a policy to legally view this data.
[Also read Should security be responsible for BYOD policy?]
Today's "banner" can't be a simple pop-up that the end-user acknowledges each time he or she turns on her company-owned computer or logs into a company VPN. The verbiage needs to be a lot more focused and designed to cover all forms of DATA on company-owned devices AND user-owned devices.
Employees need to acknowledge (repeatedly) they understand the policy and how enforcement works so when the time comes to capture data on an employee's home computer or personal cell phone (yes, home computer) you can legally do so.
Creating a policy always needs to be done with cooperation among your legal team, IT department, human resources group and maybe a third party lawyer to help review. However, the basic details can be written on your own to cover your bases.
Your new policy, and the pop-up banner that explains and reminds, needs to have at least four parts that are clearly understandable to your users:
Purpose of policy,
Focus of policy,
Failure to Abide By and
Acknowledgment.
Each part is critical to the whole policy holding up in court, should it ever be challenged. Let's look at each one.
Purpose of Policy
The purpose of the policy is clear: to protect your network and employees.
A good introduction can outline the common need to help secure your company's IP, create a harassment free environment, etc. This reminds the user that your policy isn't designed with big brother in mind, but to protect the network. Here is an example compiled from a number of Department of Defense-related systems:
"All Acme Company computer systems and related equipment are intended for the communication, transmission, processing, and storage of company business or other authorized information only. All Acme hardware and network data are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of security regulations and for other similar purposes."
Focus of Policy
The focus of the policy should be on what and how you are going to protect your network. A simple "All electronic data is subject to monitoring" is too vague, while on the other extreme, a list breaking down all the applications, devices and tools used can not only over-complicate things, but may even backfire during a legal review. If you write "Acme Company monitors all email traffic over port 25," what happens when you capture someone's personal Gmail forensically, or by monitoring port 80?
The trick here is strike that balance of clarity and comprehensiveness.
I have read a policy that was over 20 pages long, with so many examples it should have covered everything. However, the details corner the company into actually monitoring a limited number of devices. Yesterday's Palm Pilot is today's smartphone and tomorrow's Google Glasses. Keep your policy focused on data and network, not specific devices. Terms like mobile device, electronic systems, network traffic, etc. make it your target generalized yet specific.
"Acme monitors all electronic transmissions, which includes but is not limited to: e-mail systems; computer systems; network traffic (including any electronic system and/or mobile device using an Acme network); and stored data on Acme equipment and/or mobile devices, all of which may contain personal information. Acme reserves the right to access, review and/or monitor all Acme messages and company files on any electronic device accessing Acme systems or storing Acme data at any time and without notice."
Let's test our policy with an investigation use case.
During our investigation we find personal emails from a user's unallocated (deleted) space on a company system. Review of the emails reveals that the employee was planning on selling trade secrets to friend at another company. In response, our firewall is set up to flag any file transfer activity, and a key logger is installed on the company-owned system. We even see, in real time, the employee move company documents from his work computer to an external drive while talking over Skype. At one point he sends a clear-text message from his cell phone that is connected to the company's Wi-Fi.
According to our policy we can clearly monitor all these activities, without much room for debate.
Failure to Abide By
Equally important is the clear message that if the banner policy is not followed, the employee can receive corrective action, including termination.
But corrective action for what? The policy should state that failure to assist in network and IP protection, and use of tools to circumvent installed protections (removal of virus protection, unapproved encryption, etc.), can lead to trouble. This will be a card you may need to play if things get contentious during your investigation.
"Failure to adhere to this policy or cooperate with network and data protection can result in disciplinary action up to and including termination."
After seeing the data transfer to a home computer and possibly communication on their personal cell phone, you can give the employee the ultimatum: Bring in the home computer and phone for forensic review, or be terminated. Although the employee would be smart not to turn over the personal computer and phone, they usually do, for fear of losing the job. If they refuse, you could add that to the list of violations during your investigation for termination cause - based on the provable fact that the employee has repeatedly been notified of, and has acknowledged, the relevant policy.
An often-overlooked part of the policy should also include the sharing of the user's data, specifically with a third party and/or law enforcement.
"Acme reserves the right to disclose data to law enforcement agencies or other third parties without the employees consent."
This provides one more added layer of protection when sharing private data. During your monitoring activities a wide array of personal data can be viewed and recorded. Expressing early on that the data is not only subject to view, but can be shared with lawyers, police, and others, can also protect your company for litigation.
Acknowledgment
There is no point in having a banner policy if no one reads it.
When challenged in court, your evidence can quickly be thrown out if it's discovered your policy is hidden in an HR policy book for no one to actually read.
To make sure it's understood you can post it as an auto pop-up--pasting it into
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\ CurrentVersion\Winlogon\LegalNoticeCaption
for the user to be reminded each time they power up. Additionally, have the policy acknowledgement process as part of new hire intake process, and include it in your Ethics, Sexual Harassment and other annual policy/training procedures.
The key is to put your best effort in educating your employees that the policy exists AND is enforced, so there is a documented record of their acknowledgement and understanding of the policy.
Conclusion
BYOD doesn't have to bring down your investigation or leave your network and IP unprotected. Even as you build your digital infrastructure to handle the future of BYOD at your company, a strong foundation built with a good banner policy will reinforce your walls and could be the last thread that saves your company.
Brandon Gregg is a corporate investigations manager. His website is www.brandongregg.com.