How to Protect a Company with a BYOD Security Policy that Works
From a recent study by Syntonic, 87% of companies rely on employees using their personal smartphones to access mobile business apps and services. A BYOD security policy is tricky, but it is a necessity for any company wishing to leverage the resources available to its workforce. Bring Your Own Devices, or BYOD, is a policy that authorizes employees to use personal computers, tablets, and mobile devices in the workplace. It is one of the many ways companies leverage available resources in a way that promotes productivity and reduces costs.
According to CBS News, 67% of people use their own devices at work. As mobile solutions become more standard and beneficial for business processes, BYOD has become increasingly popular.
In recent years, there was a strict ban on personal devices in the workplace, but companies have quickly realized that it boosts employee productivity and can potentially save on capital expenditures to boot. The BYOD policy has significantly changed the modern workplace by encouraging companies to rethink the role of employee-owned technology in the business environment.
However, for IT network security, BYOD policies also introduce a complicated challenge to overcome. A formal BYOD security policy needs to protect both the company as well as the employee. Likewise, it must deter employees from using their devices for personal pursuits without restricting their ability to work.
The use of BYOD is on the rise, and in return, so are the risks to businesses. More than 50% of employees have not received any instructions on BYOD security policies in the workplace. Despite improved productivity and other positives, using a personal device for work-related tasks without instruction can pose significant security risks and concerns for IT professionals.
Tips for Creating an Effective BYOD Security Policy
To address these challenges, companies must develop a security strategy that anticipates these risks while respecting the fact that it is the employee who ultimately owns the device.
A solid BYOD security policy should:
1. Establish Security Requirements
Encourage employees to get in the habit of following security best practices by making necessary security measures a requirement. A good policy should require employees to:
- Keep their devices password-protected at all times
- Consider measures such as requiring the use of a VPN (virtual private network), which masks internet traffic from a device
- Requiring antivirus software to help mitigate the chances that corporate data will be exposed to malware from a personal device
All personal devices in the workplace should be subject to the same requirements.
2. Identify Acceptable Devices and Proper Use
Clearly define which devices are acceptable, including device types and operating systems, such as Apple iOS and Google’s Android OS. Doing so helps keep the IT department from feeling overwhelmed by compatibility issues with multiple types of devices.
Additionally, identify the instances of acceptable use of personal devices in the workplace. Employees can and will be tempted to use personal features of their devices while on the clock.
Many BYOD policies address this in two specific ways:
- Consider using a company app which requires users to log in before they can access company data
- Enforce a whitelist approach to app users which refers to giving specific apps explicit permission to run on a device – access of all others is banned during work hours
3. Require Registration with the IT Department
Registering devices with the IT department helps maintain the visibility of the devices connected to the network. Companies can easily make this part of the onboarding process for new hires and new devices. A network administrator can easily compare a list of registered devices to the list of connected devices to spot unauthorized connections.
Likewise, gathering such data creates a snapshot of device demographics to help the IT department develop infrastructure which is compatible with the devices used.
4. Clarify Data Ownership
Devices brought under a BYOD policy will have a mix of corporate data, such as work emails, calendars, documents, contacts, and personal data stored on them. Make it clear to employees that their data remains solely their property and under their control. Consider including resources to help employees keep their data backed up if a device is stolen or destroyed.
Likewise, indicate what data the company owns. Using tools such as mobile applications helps with this process, as all company information will be stored on the device in one specific place.
5. Implement Mobile Device Management Software to Prepare for Loss or Theft
Mobile Device Management (MDM) software allows companies to remotely manage end-user devices. Chances are your phone, tablet, or laptop go with you almost everywhere making them easy to lose.
If a device is lost, stolen, or otherwise compromised, MDM provides a foolproof procedure to remove sensitive data from the phone remotely.
The true cost of a lost mobile device goes far beyond the price of replacement – just think of the loss of productivity, downtime, intellectual property, the support required, the data breaches and all the legal fees. It has been estimated that the average loss to a company exceeds $49,000.00 per lost or stolen device!
Although some sensitive data, such as company financial information, should never be stored on a BYOD, it is inevitable that such devices may come into contact with sensitive information.
6. Include an Employee Exit Plan
When an employee leaves a company, corporate data must be removed from the device. Merely wiping the device using an MDM software is a heavy-handed method. Instead, develop a set of exit procedures to safely remove company information in a way that preserves the integrity of the employee’s personal information.
An example of an exit procedure includes backing up employee data and content before wiping the device. It may also include a checklist of apps to uninstall.
RJ Young Can Help Your Company Secure and Manage Employee-Owned Devices
A BYOD policy promotes productivity and reduces costs, but cybersecurity is more complicated than ever and security professionals face a dynamic terrain with no apparent boundaries.
As more companies recognize the value of employee devices in the office, robust BYOD security policies are necessary to help keep companies secure and safe, but a formal BYOD policy is a great place to start.
RJ Young helps companies develop strategies for every security challenge they may face. Discuss plans for BYOD with a security specialist today.