Important steps for managing bring-your-own-devices (BYOD).
Raise your hand if you use a personal mobile device at work...
If so, you are part of the 67% of employees that use personal devices at work according to this techjury.com report. This is commonly referred to as Bring-Your-Own-Device (BYOD) and has been adopted by over 59% of organizations. Furthermore, 87% of businesses are dependent on having their staff access mobile business apps from their own personal tablets, mobile devices, and computers.
BYOD has shown to be effective and convenient, especially during this COVID pandemic as employees are working from home and remote. However, this more rapid adoption of BYOD has also created voids and exposed vulnerabilities as it relates to the cybersecurity of the company’s technology.
In this blog we’re going to discuss how to manage these BYOD devices and better protect your company from cyber threats. This all begins with developing an effective BYOD policy that covers security, approved devices, data protection, mobile device management (MDM), passwords, and other key issues.
The following paragraphs outlines the key elements of an effective BYOD policy. Naturally, every company may have a different set of circumstances for BYOD, but this is a good start.
1. Establish Security Requirements:
Keep devices password-protected at all times. Implement bio-metric access where available.
Require the use of a VPN (virtual private network), which encrypts internet traffic when using the device. This is especially true when using public Wi-Fi hot spots such as an airport or coffee shop.
Require endpoint protection software to mitigate viruses, malware and side-ways attacks. Provide a list of preferred vendors for this security solution. Ensure that auto-update is on to ensure latest protection from most recent threats.
Whether the devices are personally owned by the employee, or provided by the employer, the same standards should apply.
2. Specify Permitted Devices and Proper Use:
Develop a list of permitted devices such as iPhones, iPads and Android OS devices, and specify version of operating system allowed.
All operating systems, applications, and software must be updated regularly. Software that is out of date is more vulnerable to security breaches.
Ensure that the approved devices are compatible with the company’s applications and software. While Microsoft365 is widely compatible, other specialized line-of-business software programs may not be as compatible or remote friendly.
Identify and communicate when these personal devices can be used in the workplace. For example, if a company-owned device is provided should the employee be required to use it?
Require Multi-factor Authentication (MFA) for all applications. While MFA has become a cybersecurity standard across the board, it is especially important for these portable personal devices.
Enforce a whitelist approach to specify which apps can be accessed on BYOD devices during work hours and restrict access during non-work hours. This can be more easily managed by an MDM solution discussed below.
3. Document All BYOD Devices in Use:
All personal and company-owned devices should be documented within your IT department or IT provider.
Include registration of these personal devices when onboarding a new employee.
Devices must be equipped with a "Find my Device" service. Not only can this service track down a missing device, but some can wipe a device remotely.
Develop an audit routine to compare connected devices on the network to those that are presumably registered. Investigate rogue devices.
4. Specify Data Ownership:
Devices brought in under a BYOD policy will have a mix of company data, such as work emails, calendars, documents, contacts, and personal data stored on them.
Document the applications that are company-owned and the data that goes with it.
Require automatic and regular backup of BYOD devices to ensure quick recovery in the event of theft or loss of device.
5. Implement Mobile Device Management (MDM) Software:
Mobile Device Management (MDM) software allows companies to administer mobile devices. Other forms of this include Enterprise Mobility Management (EMM) that is more robust.
If a device is lost, stolen, or otherwise compromised, MDM can delete company data from the phone remotely.
MDM primarily deals with segregating company data from personal data and securing emails, company documents on devices, enforcing BYOD policies, and integrating and managing mobile devices, laptops and handhelds of various categories.
6. Develop an Employee Exit Plan:
When an employee leaves a company, corporate data must be removed from the device.
Develop a policy that wipes company data from personal device while preserving the integrity of the employee’s personal information.
For example, an exit procedure may include backing up employee data and content before wiping the device. It may also include a checklist of apps to uninstall.
* * * * *
Looking for a BYOD policy template to get started? Try these sample BYOD policies or this one from Paycor that contain helpful samples. Or for quick results, download this sample BYOD policy in Word format, compliments of RIATA. Seek legal advice when implementing with your employee handbook and policies.
About the Author: Tommy Wald is CEO of RIATA Technologies, a full-service IT provider located in Austin, TX. He can be reached at TWald@RiataTechnologies.com.