Bring Your Own Device (BYOD) policies have become a necessary evil of most corporate and institutional IT departments. Employees demand the freedom of using their own smartphones and tablets for work purposes and companies enjoy the increased productivity.
But with convenience comes the risk of compromised data, security breaches and a host of other problems.
IT departments can reduce these risks by creating and instituting a formal BYOD program. There are many components of a comprehensive program, some of which we’ve group into five categories: onboarding and tracking procedures, standardization of service, enhanced security infrastructure, written BYOD security policies, and service policies.
It is not a complete list by any means, but it If you need to create or update your program, these are many of the critical elements to consider.
Onboarding and tracking procedures
A BYOD program will need policies and processes for on boarding new devices, be they new employees, staff who purchase a new phone or tablet they want to use, or workers who moved within the organization and may have different network access.
Your onboarding process should include separate login procedures based on employee access level. You also need to track users once they are connected. An IP address management (IPAM) solution can help you automate device onboarding.
You also need exit procedures for when employees leave. How do you enforce the removal of access tokens, e-mail access, data and other proprietary applications and information? If you’ve properly tracked the devices employees have used to access company data, you should know what data it holds and whether that data needs to be wiped off.
Rather than being an option, many companies are making BYOD a requirement. Gartner research from a few years ago predicted that half of employers will require employees to supply their own device for work purposes.
As you create or revamp your BYOD program, your organization will need to determine whether it will be voluntary or mandatory. This will impact your BYOD policy, security requirements, and onboarding procedures.
Standardization of service
If you have an immature or nonexistent BYOD program, one of the first challenges is creating a consistent set of security controls across different platforms. Without it, people who should have certain access can be denied, which hurts productivity; or people obtain access they shouldn’t have, which endangers security.
A common solution are virtual desktops that emulate a desktop computer and provide remote access to the applications and software employees would have if they were working from the office.
Another option is application virtualization, which is software streamed from a server to the user’s device that enables the user to access core business applications.
Enhanced security infrastructure
The more devices that connect to your networks, the more potential points of access you must protect against hackers, malware and viruses.
BYOD programs have amplified the need for network scalability. The increase in devices used to access networks means more DHCP lease requirements and DNS queries. This puts added pressure on traditional networks, which increases the risk of network failure.
You need to ensure that your security software can be installed as seamlessly as possible on a growing number of devices. Cloud-based services available on per-user subscription basis are becoming the standard.
You should have a third-party mobile device management (MDM) tool that can help with malware blocking, policy enforcement, logging, and encryption from a centralized platform. An MDM also enables IT to remotely wipe a device if it is lost or stolen. You can use integrated MDM features within file sharing solutions that only affect company data.
Other potential infrastructure needs to accommodate a BYOD program include:
- Identity access management (IAM) with two-factor authentication.
- Access Control Lists (ACLs) that define which devices, users, apps, etc., have been granted access to specific areas of your network.
- A VPN cloud network tool that uses secure servers for online security and privacy, allowing IT to replace personal employee IP addresses with a generic IP address.
- An endpoint protection program to keep employees informed of lesser-known attack vectors such as fake antivirus scanners.
- A common delivery method, such as Secure Sockets Tunneling Protocol (SSTP), that provide and secure a single form of entry for all types of devices, thus avoiding the cost of supporting various services tailored to devices.
- A way to contain data that exists on personal devices, typically through a combination of device encryption and remote wiping.
Written security policies that are shared and accepted by staff and regularly reviewed by IT stakeholders
Once personal devices are used to access company networks and data, they should adhere to the organization’s IT security policies. It’s important that employees realize this before they begin using their own devices. While a BYOD policy is separate from an acceptable use policy, the two sets of rules should be integrated.
There are many components a BYOD policy should include. One of the basic provisions is a list of what devices people can use.
Whether personal devices or company-issued, anything that connects to your network should be protected by strong passwords, antivirus software and data loss prevention (DLP), and full disk encryption for disk, removable media and cloud storage.
All BYOD policies should also include a prohibition on using jailbroken or rooted devices. This involves disabling certain security measures installed by the manufacturer. Without that security in place, people can download apps that have not been vetted and approved for download. Theoretically, employees can download a rogue app that appears like a harmless game, but is in fact designed specifically to harvest sensitive data or disrupt operations.
Your BYOD policy should also clearly state that you assert the right to wipe devices that have accessed your networks and that may have been compromised. A disclaimer should be included stating that you will take precautions to prevent the employee’s personal data from being lost in the event it must be wiped, but they should also keep that information backed up just in case.
IT needs to set specific boundaries regarding how personal devices are treated compared with company-issued ones. These boundaries need to be written and communicated across the organization.
Considerations for a service policy include:
- Level of IT support for initial connections to the network
- Whether the company’s IT department will provide support for broken devices
- Support for applications installed on personal devices
- Under what circumstances can employees enlist Help Desk support for personal devices
- Will you provide a loaner device if the employee’s personal device is being serviced
- Will the company reimburse the employee a percentage of the cost of purchasing and maintaining a personal device used for work purposes