Recent studies have indicated that the vast majority of workers today expect to be able to use their own mobile devices for work. The bring your own device trend has several key benefits for organizations, including reduced costs and increased worker productivity, but it also creates security risks that many organizations have never had to face before.
When multiple employees are accessing sensitive company networks and data using multiple devices, it’s important to have a clear and comprehensive BYOD policy in place that explains any limitations on acceptable use, banned applications and what happens in the event the device is lost or stolen. However, several surveys indicate that almost 50 percent of organizations that allow BYOD do not have formal policies in place.
If your organization does not have a policy regarding employee personal mobile devices, it’s important to implement one to protect your data. While there are many points that such a policy should cover, the following are the most important things to consider when developing your rules.
Specify the Types of Devices That Are Acceptable To Use For Work
The first step in any BYOD policy is to determine which devices are okay to use. While Blackberry used to be the standard for workers on the go, today there is a wide range of choices, from Android-powered devices to iPads and everything in between. Depending on the security protocols you have in place, certain devices may need to be banned from your network. Some solutions allow you to secure access from devices across multiple platforms, but others do not. Make it clear to your employees which device types and operating systems are acceptable for use on the company networks.
Establish Minimum Security Requirements
When your employees use their personal mobile devices to access corporate networks, sensitive data lands on the device. Your BYOD policy should outline the strict security protocols that you expect from employees, including complex password-only access, firewalls, antivirus apps and any other measures you deem necessary.
Employ Applications Management
While employees own the devices that they use for work under a BYOD plan, they need to understand that their ownership does not guarantee total freedom to download any application they wish. The BYOD policy should outline which applications are permitted, and which are banned. Some applications have the ability to freely access data present on the phone, which could present security risks; other applications are either poorly written and create security loopholes, or are actually dangerous malware that will put the network in jeopardy. Inform employees exactly which applications are okay to download – and when they need to seek approval.
Develop an Exit Strategy For Separation, Loss or Theft
It can happen to anyone – they drop their phone in a parking lot, or their tablet is stolen from their bag or vehicle. While it’s inconvenient and worrisome for anyone to lose their device, when it contains sensitive corporate data, the stakes are even higher. Your BYOD policy needs to clearly outline what happens in the case of loss or theft – whether the phone will be locked or wiped – and what employees can do to protect their own personal data. The policy should also cover what happens when an employee leaves the company, and how you will handle the data on the personal device.
Establish Acceptable Use
Chances are the devices and equipment that your company owns are governed by acceptable use policies. For example, employees may not be able to use Facebook from a company computer, and certain types of websites are banned. But how will those policies extend to personal devices? Your policy needs to outline what is allowed when using the device on company networks, how activity will be monitored and the consequences for violating the policy.
These are just a few of the important points that your organization’s BYOD policy needs to address. Other topics of concern include reimbursement, how much service the IT department will provide on devices and who actually owns the apps and data on the phone. Starting with these five points, though, will get your policy on the right track, and prevent BYOD from turning into “Bring Your Own Disaster” at your company.
About the Author:
Small business consultant Cliff McHugh is certified in information security and works with small to mid-sized businesses to develop IS plans, including BYOD and MDM. The former CIO of a regional hospital, he’s well-versed in the importance of data protection as it relates to federal privacy laws. He relies on programs like those provided by Trend Micro in his work and advises that it’s the kind of investment everyone needs to make.