Bring Your Own Device (BYOD) has been a hotly debated topic in companies of every size over the last few years.
BYOD is a policy that allows employees to bring personally owned mobile devices— laptops, tablets, and smart phones—to the workplace to access privileged company information and applications. BYOD promotes productivity and can contribute to employee retention, but the options available to manage personal devices can be confusing for employees. IT must manage many different issues including software and hardware for mobile device management, device and identity partitioning, wireless access points, network access control, and custom mobile applications.
There can be a lot of fear and trepidation about the topic because there are very real security issues around BYOD. There is a sense that somehow it means automatically losing control of data and security. This is not the case at all. If the risks are properly analyzed and fully understood they can be managed appropriately. Here are some of the basic issues to think about when it comes to BYOD.
What’s considered “safe enough” when it comes to encryption? Consumer owned products are not going to come with encrypted hard drives. It’s important to look at the needs of your company and decide what level of encryption is necessary and how you will roll out those requirements on employee’s personal devices.
In a world with so many devices, it’s really less about the device and more about controlling and tracking data. This is a fundamental change in attitude for most organizations. Who can see your data and share it has become more important than which device they are on.
It does not necessarily cost less to manage corporate IT and security if employees use their own device. While money may be saved on hardware, IT departments end up having to support many more types of devices and devote more resources to security across them.
How will you identify a device that has been compromised (think malware) that is trying to access your network? What kind of authentication protocols will be put in place to verify a device is trustworthy?
Do you have a system in place to wipe an employee’s personal device if it’s been stolen or permanently lost? Additionally can you lock the device out of your network? Putting a protocol in place that everyone understands upfront is important so there are no surprises.
Of course, you’re not just dealing with devices—you’re working with the people using those devices. Managing BYOD successfully also means communicating with employees effectively. When it comes to implementation I’ve found these five basic principles to be very helpful.
1. Be Flexible
Every department has different needs. Don’t try to make one size fits all policy decisions. You can be stricter or more lenient depending on how risky the situation or the sensitivity of the data.
2. Education is Key
Information security is a lot about educating employees over and over again. It’s important to be clear about why security is important—it protects the company and their livelihood. Make sure employees clearly understand what’s expected of them when it comes to protecting company data.
3. Privacy and Transparency Are Important
It’s important to establish trust with employees. You want them to see corporate IT security as a resource they can use, not big brother who they have to avoid at all costs. Be clear about what is and isn’t monitored.
4. Be Trustworthy
Be clear about all your policies up front. Be consistent in how you behave when a phone is lost or a laptop is compromised with malware so your co-workers will know what to expect from you.
5. Keep Employees Apprised of Current Threats
Along with taking the appropriate precautions to protect company data, employees should also be taught to look for the signs of a compromised device. It’s important that they be proactive when it comes to understanding risks and current scams especially when traveling.
A comprehensive BYOD policy starts with a thorough understanding of the unique risks and vulnerabilities faced by personal, mobile devices used for work. Risk analysis is essential to putting proper safeguards and protocols in place. BYOD should make it easier for employees to be productive and create a flexible work environment.