To say that the advent of mobile devices has revolutionized the way we work is an understatement. Many new interesting methods of working such as BYOD (Bring Your Own Device), BYOT (Bring Your Own Technology) and BYOPC (Bring Your Own PC) have emerged as a result, and companies are playing catch up.
These new trends also present companies with unprecedented opportunities as well as risks. BYOD is being embraced by IT departments in organizations across the world as it simply makes sense.
Letting employees work on their own devices can increase productivity as it allows them to work flexibly. It can also substantially reduce company overheads by leveraging their employee’s tools instead of providing them with one.
Finally, more often than not, employees invest in better, more up-to-date devices than companies do as the latter usually get “good enough,” budget equipment that can become outdated very quickly.
That being said, having multiple, unsecured devices accessing a company’s privileged data environment can also threaten its security. Employees may unknowingly leak data by transferring it to their personal email for future access, or services like Dropbox and Google Drive where the IT department has no control. Their devices may be stolen or even hacked, in which case sensitive company data may be compromised.
The advantages of BYOD and similar workplace trends however, outweigh its negatives, and companies only need to follow a few best practices codified as policy to ensure that nothing bad ever happens. Here are 5 such practices that you can follow to setup a robust BYOD policy…
#1 Clearly Spell out Which Devices Are Allowed
Just because employees are bringing their own devices doesn’t mean you have to allow all of them to connect to your network. Some devices and operating systems are inherently more robust than others. Your IT department or MSP can help you understand which all devices can be safely connected and which should be avoided.
#2 Implement Robust Security Protocols for the Allowed Devices
Once you have a list of devices that can be connected, implement the same safeguards that you have on your company owned assets. Some measures you can consider…
- Make sure all devices have password protection. Create a password policy that requires employees to implement sufficiently strong passwords that should be periodically changed.
- All devices should have updated antivirus and malware protection. Ideally, you should consider using the same software as that used by your company to make updating and patching up easier.
- All devices should follow a sound data loss prevention (DLP) policy. There is no one way you can implement a DLP policy as it involves multiple angles that need to be considered. Here’s an excellent resource on how to create a DLP strategy.
- Have a data wipe strategy to erase all company data in case a device is compromised. The best way to go about it is to enable a location tracking app/service on personal devices so that they can be remotely tracked and wiped if necessary.
- The kind of applications that can be installed on the devices should also be controlled to eradicate security loopholes.
- All devices should follow your company’s patch update schedule.
#3 Determine How and Where the Devices Can Be Used
While allowing only secured devices to access your network will go a long way to making sure that there are no unforeseen consequences, how those devices are being used within your company walls also needs to be controlled.
As smartphones and tablets come with cameras, audio recorders and other technologies, usage restrictions should be imposed where these may be used. You do not want someone taping a new technology being developed or recording a meeting on their personal device, after all.
Corporate and personal data should also be kept in separate “containers” so that there is no overlap between them. Not only will this help with data wipes, should they become necessary, but corporate data can also be encrypted to add another layer of security. Here’s an excellent resource on how data containerization can help you.
#4 Have a Clear Employee Exit Policy in Place
Theft and hacking aren’t the only two ways you can lose your company data, as employees leave, they can carry your proprietary information with them, too. Your exit policy should be clearly stated in the agreement and the employee should understand that his/her device(s) may need to be surrendered for a data wipe in the event they leave. To ensure that the employee’s personal data is secured, they should be encouraged to back it up regularly.
$5 Create a BYOD Specific Support Policy
Who will be responsible for updating, managing and fixing your employee’s personal devices should they need help? Will it be your in-house staff, or your MSP? It is crucial that all responsibilities be laid out in your policy framework to avoid loose ends. Of course, make sure your employees are aware that support people can or may need access to their device if required.
As BYOD is part of a new trend that is yet to reveal itself in it’s entirety, a policy should be considered a perpetual work in progress. While the steps described above are a good starting point, it’s impossible to consider every contingency going in. Newer technologies will emerge that will change how we work further still, which is why creating a BYOD policy that is essentially in perpetual beta mode will go a long way to ensuring that your organization remains both progressive and secure.