Consumer-styled devices—like smartphones and tablets—have blurred the lines between personal and professional lives.
We’re so connected with these mobile devices that we take them everywhere, and using them for work purposes has become a natural extension.
Many corporations accepted the use of employee-owned devices, and even gave the practice a name: Bring Your Own Device (BYOD).
It meant less capital expense to provide them with company-issued technology. But the escalating risk arising from lost, stolen, and hacked mobile devices requires businesses to rein in the controls.
They need to ensure that only authorized people have access to authorized data, via authorized devices and apps.
Designing, deploying, and managing a BYOD policy is critical if you are going to allow employees to use their own devices to connect with your enterprise data in any way. Even the slightest crack can open the door to a disastrous data breach.
Here are tips for building a secure BYOD policy.
1. Define allowable devices.
Identify which mobile devices will be allowed, including the operating system. Are you going to welcome only iOS and Android? Is there a limit to how many personal devices an employee can use in the workplace? Remember, you will have the burden of supporting the devices and their contents. Also, clearly state that no jailbroken or rooted mobile devices will be allowed access to your network.
2. Establish data security protocols.
Don’t leave password protection up to your employees. Alert them that they will need to use an approved alphanumeric combination that is changed according to a preset schedule. Learn more about password security here. Also require a screen lock as a layer of protection. Employees might not like these extra steps, but this must be a take-it-or-leave-it proposition. The cost of non-compliance could be in the millions of dollars if you’re hacked as a result of a lazy employee.
3. Detail the level of IT support you will provide.
BYOD can be an IT nightmare. With onboarding new devices, OS and app updates, tech support, security patches, and other troubleshooting, your IT Help Desk can easily become overloaded. Your BYOD policy should be clear about the services that will and will not be offered by the company’s IT staff—including problems that arise from personal apps loaded onto the device being used for business purposes as well.
4. Be clear about apps and app management.
It’s one-click-too-easy to download an app. How tightly will you control which apps will be allowed on devices that can access your enterprise network? Your BYOD policy should provide a list of approved apps, in addition to those that you ban from your corporate network. Consider requiring a process that limits social networking, games, music, and videos, all of which pose a significant data breach risk.
5. Include a remote wipe clause.
Mobile devices are easily lost or stolen, and employees are terminated. When any of these situations occur, your IT team needs to wipe the device to protect network security. What happens to any personal information (contacts, photos, videos, music, apps) that’s also on that device? Your job is to protect your enterprise data, so be clear in your BYOD policy that employees are responsible for backing up their personal data, and identify those instances when you have the right to lock down and remotely wipe a device.
6. Explain acceptable use and monitoring.
Put this in writing to ensure there is no confusion. Identify how the employee’s devices will be monitored to ensure security. Describe the monitoring system you use in order to protect the network. Be clear about personal use that is prohibited on your network, such as social networking, questionable downloads, and personal emails.
The use of consumer-owned devices in the workplace is inevitable, but with a well-crafted BYOD policy, you have control over how much threat they pose to your enterprise security.
How are you creating your BYOD policies? Share more tips with us on Twitter @LTronCorp
