Many organizations are approaching the Bring Your Own Device (BYOD) method of working in different ways. Some have adopted BYOD and seen many benefits, while others appear to be rejecting it, feeling that it is not appropriate for their organization.
As we discussed in our mobile email signature post, more and more workers are using their own smartphones and tablet PCs to access their work emails in and out of the office. However, many organizations don’t have a policy in place to manage these devices, increasing the risk of sensitive corporate data being leaked or the company network becoming infected.
Formal BYOD policies and solutions can help mitigate these risks. Such policies can have positive effects by improving employee satisfaction and increasing overall productivity. Let’s look at some reasons for and against having a BYOD policy for your staff, so you can make your own decision as to whether you feel it is the right thing for your organization.
Giving employees the ability to pick up their emails and contacts in a limited fashion is usually considered to be the best implementation of a formal BYOD policy. It is relatively simple for an organization to monitor and log what websites employees visit on their mobile devices and it is also prudent to make them all abide by a code of conduct when in a main office.
Another plus point is that management can forbid any pornographic or offensive material ever being viewed in the office. Most employees realize that they cannot view anything offensive on their desktop PC, but may feel that they can view whatever they want when using their own device. When you are in a corporate office environment, viewing such materials online can be akin to bringing in a printed version, which would never normally be permitted.
In other words, BYOD policies can ensure that employees focus on their job and keep within rules that they are expected to follow. Different employees will have different opinions on what they consider to be offensive, but an organization HAS to consider the potential legal liability of what can happen if someone finds something really distasteful, even if the material is not downloaded on a company’s own network.
BYOD programs require IT staff to support and administer many types of devices. They need to be familiar with the different handsets that employees bring into an organization (iPhone, Android, Blackberry etc.), learn how to set up multiple applications on different mobile platforms and teach end users how to use different apps on these platforms. This is an extra burden for an IT department where time is often at a premium.
To get around this, some organizations find it easier to provide employees with company-owned mobile devices rather than go down the BYOD path. By identifying which employees NEED a mobile phone to do their job, a management team can budget on a capped cost . This means that there is no risk of employees using their own devices for work and submitting all sorts of bills for voice calls that they used for work purposes.
If employees start to use a device for work purposes, some will expect their company to take on some responsibility for the device and its costs. An example would be if someone had to make a long distance call to a client and it ended up costing them a small fortune when they received their phone bill.
By standardizing mobiles and having your employees work on one platform, all queries don’t have to end up back at IT. Otherwise, individuals have to take more responsibility for troubleshooting personal devices, as it is not feasible for their helpdesk to provide the same level of backup that they do for corporate devices. Colleagues can help each other learn how to use a particular function on a phone, which becomes difficult when employees are using a myriad of platforms.
Create a secure BYOD environment
Once you’ve decided that you want to put a BYOD policy in place, you need to make sure it’s adhered to. Get your to follow the simple guidelines below to protect your security and to improve your own BYOD policy where necessary.
Keep and personal data separate
Provide users with a set of corporate applications that holds corporate data separately from user data. Management will be able to wipe data from devices so this separation of data can be achieved through good app planning with programming and management suite policy enforcement.
Have encrypted corporate data
Without encrypted data, compromised devices can give up important details too easily. Encryption means that data will not be readable should it be viewed by the wrong person.
Don’t let users access data offline
If you have high levels of security for documents and applications, you do not want anyone to have the ability to download or view cached versions on local devices. Only allow access to sensitive information when users are connected to the corporate network.
Use a mobile security management suite
To enforce security policies for a device, application or document, you need to use a mobile security management suite. This should easily integrate into your corporate environment so no user’s device can access company assets without being properly vetted by security policies.
Never allow jail-broken or rooted devices to be used
If a device is jail-broken or rooted, mobile security suites consider these to be ‘security compromised’. Therefore, they are more at risk of security threats than secured mobile devices.
Use screen lock passwords
Don’t let users neglect implementing a screen lock password. They are simple to set up, yet provide a high-level of data security. Mobile security suites can enforce this for users’ devices if you feel that employees will not do this of their own volition.
Enforce regular OS and patch updates
Users need to keep their devices updated with the latest operating systems to ensure protection against malware . Updates will often fix security vulnerabilities from minor updates to major revisions. These can be enforced from some mobile security management suites to ensure the highest available patch levels.
Require VPN for connectivity
Secure VPN connection enforcement should be standard practice. Device-level VPNs securely connect a device to the corporate VPN server, whereas application-level or micro VPN connectivity ensures that all application-related data transmissions are secure.
Require periodic re-authentication
Check the user is genuine with periodic re-authentication. if you don’t do this, security vulnerabilities can occur if a device is stolen or compromised in any way. You can also enforce re-authentication using management suites.
Have custom profiles for every device
There are many different manufacturers and types of devices on the market like smartphones , tablet PCs and laptops. It is a good idea to have separate security for every supported device. If you only use generic security, there will be significant gaps and vulnerabilities on your network. An iPhone works differently to an Android device for example, so different security measures are needed for additional protection.
BYOD (Bring Your Own Device) is becoming increasingly common. Employees use mobile devices to access corporate assets such as email , social media sites, network drives, cloud services and documents. This is seen to be positive as it increases employee productivity and lets people work outside of a central office environment. However, there are various detractors to BYOD who believe that is constitutes too much of a risk to their company.
In the end, you want to give your users the freedom to bring their own devices to work, but you have a commitment to your employees, shareholders and customers to maintain a secure business environment. Having a good BYOD policy in place ensures a higher level of corporate security with set guidelines for all employees to follow.