A growing number of organizations are adopting a “bring your own device” (BYOD) policy, which allows employees to use their personal devices such as smartphones, tablets, and laptops for company business. A report from Tech Pro Research showed that 72% of businesses are expected to implement BYOD by the end of 2017.
As BYOD becomes more commonplace, it’s crucial for organizations to formulate a security policy that meets the needs of employees, while protecting the organization’s interests. Keep the following 6 points in mind when creating or updating your company’s BYOD security policy.
1. Involve Multiple Departments
Your BYOD policy isn’t just for convenience, it’s there to serve your organization’s business goals. Therefore, it’s important to involve multiple departments that have a stake in the matter when developing the policy.
In addition to IT, your organization’s human resources department should be involved, as well as the security department, legal counsel, and others who may need input. Some industries or roles are regulated and require special compliance, such as HIPAA for privacy of medical information, or certain SEC requirements for executives.
2. Address Affected Employees, Not Just IT
Don’t forget one of the most important groups to seek input from: the users themselves. Take the time to talk to the people who will benefit from the BYOD program. Find out what they need and want. Employees are much more likely to respond well to a policy and comply with the requirements if they feel their concerns were met throughout its implementation.
Be realistic about how your employees will actually utilize their devices. The goal is to allow employees to be more productive by streamlining their use of devices. If too many cumbersome restrictions are placed on users, they will inevitably create their own unapproved workarounds, which will cause unforeseen vulnerabilities and make employees less likely to report any problems right away.
3. Cover the Entire Process
Writing specific procedures for various aspects of the BYOD program will help ensure that the right security protocols are followed by both the company and the user. Consider the following:
Check and Register Devices
Create a process for registering each device that an employee intends to use. This process should include a thorough check of the device to make sure it has not been compromised in a way that would interfere with security features, such as through jailbreaking.
Before you allow the employee to begin accessing your organization’s data with the device, educate them on how to use it as intended, as well as the risks and responsibilities involved. (See #6 below.)
Obtain Security Tools
Make sure you have enterprise mobility management (EMM) solutions such as mobile device management (MDM) and mobile application management (MAM) to isolate your organization’s data and applications from what is contained on the rest of the device. Require strong authentication to access your organization’s data via the employee’s device, and use encryption to protect your data and applications. You also must have the ability to disable access to your organization’s data and erase any of your data stored on the device immediately in the event that the device is stolen or the employee leaves the company.
Monitor Device Security
You will need tools to let you monitor exactly who is accessing your data, as well as when and where which data is being accessed, and how it is being done. You should also review the status of the device automatically when it connects to your organization’s data and services, checking to see whether it has been updated properly. If the device’s owner has not installed the necessary updates to keep the device compliant with your security requirements, it is important to be able to recognize this and deny access to your data until the owner updates the device to correct the vulnerability.
4. Adapt to Changes
In the IT world, change is constant and inevitable. IT personnel are accustomed to keeping up with new devices, software updates, emerging trends, and more. When implementing a new BYOD policy, the processes and procedures your organization has traditionally applied to enterprise-owned devices must be updated to accommodate it. The goal remains focused on minimizing security risks, so you will likely need to create new countermeasures to fight potential threats associated with a BYOD policy.
5. Be Aware of Potential Issues
Unfortunately, it’s impossible to protect your data completely when dealing with BYOD. Therefore, you must be aware of the potential issues you may face. Make a plan for how to respond to them and correct them before they happen. Consult all the necessary people, try to anticipate various scenarios that may arise, and come to an agreement on the best procedures to address them. Planning is the key, so that any incident can be dealt with quickly. A few potential issues to consider include:
- The device getting lost or stolen;
- The device getting hacked or otherwise improperly accessed, allowing access to the organization’s data;
- The device’s owner compromising a device’s security by jailbreaking or otherwise altering it;
- Losing the ability to monitor the device’s security status.
6. Educate Users on the Risks
When an employee is approved to use their device for business purposes, they must also be educated on the risks involved. Teach them about how it’s meant to work, various hazards to avoid, how to tell whether their device and data are secure, and what to do if they encounter a problem.
Sharing these best practices helps reduce the risk of your system being compromised unwittingly and empowers the employee to take responsibility for their device and how it will be used.
Does your organization have a BYOD policy? Do you feel that its rewards outweigh the risks?
With 20 years of experience in the enterprise space, Xuyen Bowles now oversees one of the most successful cyber security firms in San Diego, CA. Sentek Cyber (a division of Sentek Global) offers a wide array of cyber security protection from penetration testing, consultancy, training to advance threat detection. “It’s not a matter of if, it’s a matter of when.” Ms. Bowles finds great gratification in helping companies ensure they are safe from data breach.
