Many organizations are approaching the Bring Your Own Device (BYOD) method of working in different ways. Some have adopted a BYOD policy and have seen many benefits. Others, however, appear to be rejecting BYOD, feeling that it is inappropriate for their organization.
What is a BYOD Policy?
As we discussed in our mobile email signature post, more and more workers are using their own mobile devices to access their work emails in and out of the office. However, many organizations don’t have a BYOD policy in place to manage these devices. This increases the risk of sensitive corporate data being leaked or the company network becoming infected.
Formal BYOD policies and solutions can help mitigate these risks. Such policies can have positive effects by improving employee satisfaction and increasing overall productivity. But what is a BYOD policy? Is it something you need to be thinking of within your organization?
Let’s look at some reasons for and against having a BYOD policy for your staff. You can then make your own decision as to whether you feel it is the right thing for your organization.
For Having a BYOD Policy
Letting employees access their emails in a limited fashion is the best method of implementing a formal BYOD policy. It is relatively simple for an organization to monitor and log what websites employees visit on their mobile devices. It is also prudent to make them all abide by a code of conduct when in a main office.
Management can also stop any pornographic or offensive material being viewed in the office. Most employees realize that they cannot view anything offensive on their desktop PC. However, they may feel that they can view whatever they want when using their own device. When you are in an office, viewing such materials online is similar to bringing in a printed version – it is not acceptable!
In other words, a BYOD policy can ensure that employees focus on their job and conform to company rules. Different employees will have different opinions on what they consider to be offensive. However, an organization HAS to consider the potential legal liability of what can happen if someone finds something really distasteful.
Against Having a BYOD Policy
BYOD programs require IT staff to support and administer many types of devices. They need to be familiar with the different handsets that employees bring into an organization, learn how to set up multiple applications on different mobile platforms and teach end users how to use different apps on these platforms. As you can see, this is an extra burden for an IT department where time is often at a premium.
To get around this, some organizations find it easier to provide employees with company-owned mobile devices. By identifying which employees NEED a mobile to do their job, a management team can budget on a capped cost . This means that there is no risk of employees using their own devices for work and submitting all sorts of bills for voice calls that they used for work purposes.
If employees start to use mobiles for work purposes, some will expect the company to help pay their bills. For example, someone might have had to make a long distance call to a client and it ended up costing them a small fortune when they received their phone bill.
By standardizing mobiles and having employees work on one platform, all queries don’t have to end up with IT. Otherwise, individuals have to take more responsibility for troubleshooting personal devices, as it is not feasible for their helpdesk to provide the same level of backup that they do for corporate devices. Colleagues can help each other learn how to use a particular mobile function, which is more difficult when everyone is using different platforms.
How to Create a BYOD Policy
Once you’ve decided that you want to put a BYOD policy in place, you need to make sure it’s adhered to. Follow the simple guidelines below to protect your security and improve your own BYOD policy where necessary.
Keep corporate and personal data separate
Provide users with a set of applications that holds corporate data separately from user data. This is achieved through good app planning via programming and management suite policy enforcement.
Have encrypted corporate data
Without encrypted data, compromised devices can give up important details too easily. Encryption ensures data is not readable by third parties.
Don’t let users access data offline
If you have high levels of security in place for documents and applications, you do not want anyone to download or view cached versions on local devices. Therefore, only allow access to sensitive information when users are connected to the corporate network.
Use a mobile security management suite
To enforce security policies for a device, application or document, you need to use a mobile security management suite. This should easily integrate into your corporate environment so no user’s device can access company assets without being properly vetted by security policies.
Never allow jail-broken or rooted devices to be used
These devices are considered to be ‘security compromised’ by mobile security suites. Therefore, they are more at risk of security threats than secured mobile devices.
Use screen lock passwords
Don’t let users ignore implementing a screen lock password. They are simple to set up, yet provide a high-level of data security. Mobile security suites can enforce this for all devices if you feel employees will not do this of their own volition.
Enforce regular OS and patch updates
Users need to keep their devices updated with the latest operating systems to ensure protection against malware. Updates will often fix security vulnerabilities whether they are minor changes to major revisions. These are enforced from some mobile security management suites to ensure the highest available patch levels.
Require VPN for connectivity
Secure VPN connection enforcement should be standard practice. Device-level VPNs securely connect a device to the corporate VPN server. Application-level or micro VPN connectivity, on the other hand, ensures that all application-related data transmissions are secure.
Require periodic re-authentication
Check the user is genuine with periodic re-authentication. If you don’t do this, security vulnerabilities can occur if a device is stolen or compromised in any way. You can also enforce re-authentication using management suites.
Have custom profiles for every device
There are many different manufacturers and types of devices on the market like smartphones, tablet PCs and laptops. It is a good idea to have separate security for every supported device. If you only use generic security, there will be significant gaps and vulnerabilities on your network. An iPhone works differently to an Android device for example, so different security measures are needed for additional protection.
In conclusion, BYOD (Bring Your Own Device) is becoming increasingly common in many workplaces. Employees use mobile devices to access corporate assets such as email, social media sites, network drives, cloud services and documents. This increases employee productivity and lets people work outside of a central office environment. However, there are various detractors to BYOD who believe that is constitutes too much of a risk to their company.
In the end, you want to give your users the freedom to bring their own devices to work, but you have a commitment to your employees, shareholders and customers to maintain a secure business environment. Having a good BYOD policy in place ensures a higher level of corporate security with set guidelines for all employees to follow.