One of the leading reasons for data breaches of sensitive information — always placing in the top three — is the loss or theft of devices. This is true even if a device, such as a laptop or external hard disk, is protected with full disk encryption like AlertBoot. The use of strong encryption generally means that the data breach is neutralized since the data is not at risk.
As BYOD initiatives take off in organizations across the world, it’ll be interesting to see whether the results remain true.
Yours, Not Mine: The Tragedy Of The Commons
If you’ve ever taken up a study of modern economics, you’ve probably run across the tragedy of the commons. In short, it’s the observation that people don’t take as good a care of things they don’t own, even if they know that it’s in their interest to do so. Award ownership, however, and things get better.
The traditional example in textbooks is that of a commons — a communal tract of land used for grazing livestock. Everyone gets to use it but no one needs to tend to it. The commons is overgrazed and becomes barren over time. Obviously, it’s unfit as grazing land at that point.
All who use the commons know this is the inevitable end but no one takes the time to care for the land. Even if some farsighted souls make an effort, they’ll soon realize that it’s a Sisyphean task because others are not interested, and indeed abuse, the good efforts by this group. Divvy up the land and extend ownership rights, though, and you solve the problem.
I was reminded of this as I re-read Reinventing the Bazaar: A Natural History of Markets. It was noted that, in the 1990s, nearly all of Vietnam’s trucks were broken down due to the lack of maintenance and parts (no thanks to the collapse of the Soviet Union, where all the trucks were manufactured). Facing a “transportation crisis,” the Vietnamese government gave truck drivers “an ownership stake in his truck” and saw a “miracle” where “suddenly, all the trucks run.”
When you think about it, the provisioning of electronic office equipment, such as laptop computers, is similar to the Vietnamese truck situation of the 1990s. The equipment is owned by the company. Employees don’t have an incentive to take care of it. Sure, neglecting things to the point of inoperability means that employees will face difficulties in carrying out their jobs, which in turn means they might get fired. But, so it was with the truck drivers.
Could BYOD Change the Profile of Data Breaches?
BYOD stands for “bring your own device.” The term alone highlights the fact that it’s not the company’s equipment. You don’t have partial ownership. The device is strictly yours.
According to traditional, mainstream economic theory, this means that employees will be more careful with the device. Behavioral economics also suggests the same: compared to a situation where a company gives its employees smartphones — like Yahoo! recently announced it will — people think more highly of stuff they paid for themselves (Yahoo! runs the risk of its employees thinking of their phones as theirs, as they should, but also as free, which comes with its own behavioral problems). Not only will employees feel more careful about not losing their devices, they’ll want to ensure that the data within them are properly restricted.
It doesn’t feel that way, not yet. For example, surveys have shown that only half of smartphones are protected with passcodes. It’s a percentage well short of what one would find in HIPAA-covered laptops or devices used by bankers (many are well nigh 100%).
But, if you compare it to the levels of encryption on laptop computers across all businesses in the US that should be protecting their data, I get the feeling that it’s already significantly higher. I expect mobile security levels to increase as even more people become aware of the risks the data in their devices represents.