It is without question a risky affair: allowing employees to use their personal devices to access your network and valuable, often confidential company data. Yet despite the risks BYOD (bring your own device) marches on and companies and organisations around the world are adopting tactics and technologies to make it work.
First: what are the benefits of BYOD, if any?
BYOD’s benefits centre around employee happiness and productivity, thought costs can be a factor too. Employees enjoy using the devices they like and feel comfortable with, after all laptops and phones increasingly have lifestyle and fashion appeal. Productivity gets a boost too as employees can use the devices they are familiar with, skipping the learning curve. Finally, there could be savings involved as you can utilise the devices your employees already have.
Yet, the risks are many
Allowing any degree of BYOD implies a loss of control and brings about challenges around endpoint security. An employee leaving the company could walk away with access to confidential data, including stored emails, attachments and uninterrupted access to cloud storage. Little is known about an employee’s device, including the other applications installed and the security measures in place. Either can be a source of malware or could allow perpetrators to steal data.
Steps to secure BYOD
Being too restrictive can erase the benefits of having this open policy in the first instance. IT staff need to strike a balance between protecting company data, and allowing some freedom for users. You may find that constructing different policy tiers can be helpful, as not every employee and every department are exposed to confidential data.
The nature of your business will determine your information security requirements: if you never handle personal data and have little to no confidential company data you could afford to be relatively lax with your policies. Yet sensitive data such as medical records implies a BYOD policy that is far stricter. Regardless, sensible strategies are necessary, here are some ideas:
-
Deploy Mobile Device Management (MDM) solutions
Fear not: you can locate, lock and wipe a lost personal mobile device. MDM packages can enable administrators to take control of a device which has been lost or stolen, preventing confidential data from falling into the wrong hands. MDM solutions provide policy-based security which can force users to lock their devices with a PIN or restrict the installation of certain applications.
-
Draw up a list of approved devices
Restricting the devices which are designated as accepted according to your BYOD policy can limited the number of problems you experience, and make managing devices easier. Consider which the most popular devices are, evaluate the security issues around them, and add these devices to a whitelist on your BYOD policy.
-
Make it clear who owns your data
This is particularly important if you encounter a lot of employees who are new to the workplace or to BYOD. Allowing company data on to an employee’s devices can blur the lines of ownership. Ensure you make clear exactly where ownership lies, a combination of solid HR policies and employee training will do the job.
-
Create an exit strategy for departing employees
The opportunity may not always be there if an employee departs suddenly (in which case you need to rely on your MDM solution), but in most cases, you can manage the withdrawal of access rights as part of HR check lists and exit interviews. Develop a step-by-step policy that ensure no company data is left over on a device, and that all company accounts linked to the device are blocked.
-
Set an acceptable use policy
Under BYOD the employee will often have the ultimate authority to install apps and upload content to their devices. You can, however, instruct your employees to abide by an acceptable use policy. This policy will bar certain categories of apps and content and could restrict access to certain classes of websites while the device is on corporate networks.
A Tenable Network Security survey held in partnership with the LinkedIn Information Security Community in 2016 suggests that 72% of respondents were at a stage where BYOD was on offer to all employees, or to some employees. As much as you should take the utmost care to protect your company data, keeping this data off employees’ devices may not be realistic. Instead, develop policies which will protect your company data while allowing employees to use their own devices.