Protecting Your Company in the Age of BYOD
Protecting Your Company in the Age of BYOD
Join the DZone community and get the full member experience.Join For Free
Smart devices are like opinions, everybody’s got one. Problematic or not, there’s no longer any point in network admins lamenting their presence. It’s simply the new reality.
The concept of Bring Your Own Device (BYOD) is not one that many network administrators would have been concerned about 10 or more years ago, back when cellphones were just cellphones. As devices become increasingly smarter, and more capable of completing advanced computing tasks, the risk of personal devices has become an increasing security concern for network administrators. Companies that have embraced the BYOD culture have been forced to implement strict rules and protocols for how those devices can be used in the workplace. There really isn’t any other choice because efforts to restrict the BYOD culture have proven more costly in terms of both money and effort than adapting the office environment to allow for these devices while instituting inclusive workplace policies to regulate their use.
Getting Employees Informed About Data Policies
When compiling BYOD protocols, it's important to clearly inform employees of their rights and responsibilities regarding company data. Employees want to use their personal devices at work to perform work tasks. While that idea may seem like basic efficiency, employees must also be informed of the fact that they can be held liable if the data ends up lost or stolen due to a data breach on their personal device. A certain level of personal responsibility needs to accompany the freedom. That knowledge alone should incentivize voluntary compliance with security protocols.
A company that decides to incorporate personal devices in the workplace must ensure that their legal documentation includes policies that cover repercussions for breaches of data that occur outside of the office. According to Acronis, nearly 60 percent of companies are vulnerable to BYOD risks. Many of the companies in the survey had no policy in place regarding personal devices and their use in the workplace, and only 30 percent prevented access to network with BYODs in the first place.
Clear lines need to be drawn to determine where personal use begins and ends in the workplace. Combining less secure personal devices with the secure company servers can be a recipe for disaster. As hackers become more adept at infiltrating company networks, it wouldn't take more than a little social engineering to get a malicious virus or script installed on a personal device. IT administrators can't be reasonably expected to scan every device that joins the network, but at the same time disallowing personal devices makes for a less efficient workforce. Employees may need to be able to use their own personal devices while away from work to access company resources and information while away from the office. The solution is to create a policy that limits the way a device can be used without being overly restrictive. All it takes is one senior-level executive to decide they are exempt from a policy to create a cascade effect that brings the whole policy tumbling to the ground.
One way to ensure compliance with employees is to encourage input and get employees invested in the new policies. Network administrators are not alone in the struggle to create effective BYOD policies that employees can follow. There are resources available to help institute an effective and secure policy. A good starting point is to implement protocols to ensure that mobile devices are locked with a passcode, and having remote wiping capabilities can protect employees and the company in the event that a device is lost or stolen. Also, investing in recovery and remote deletion software is crucial for any company that decides to institute a BYOD policy.
The Basics of Good Policy
A good policy will include several key points that should help reduce the possibility of data loss or breaches. In clear terms, specify the types of devices that are permitted in the office. If a particular operating system is required, make it known and create penalties for any employee found not abiding by the rules. Require that all users have a password lock on their screens, and require the ability to use remote erasing mechanisms to securely delete all data on a device in case it is lost.
Discuss the level of support that the company will provide for dealing with issues related to personal devices. Also, include information that makes it clear who actually owns the apps and data on a personal device. In the event that a personal device is lost, this could mean that an employees personal pictures and other information is lost too. Make it known what an employee stands to lose at the outset to prevent a potential lawsuit filed against your company by an upset employee. Additionally, a good policy should clearly delineate which apps are allowed and banned on specific devices.
Establish Who Owns the Data
One of the most important aspects of any BYOD plan involves creating a plan for how data stored on a personal device will be returned and removed from the device in the event that the employee is fired or leaves the company. The employee can't simply forfeit ownership of a personal device. Email synchronization may need to be disabled, and a complete wipe of the device may be necessary to ensure a secure company network. Having a clear framework for how an employee can back up and save their personal documents, photos, music and videos can go a long way toward providing a simple, and effective compliance to company BYOD policies.
Establish Who Owns the Device
In the early days of smart devices, the absence of effective BYOD policies created a need for network admins to simply and plainly enforce network security protocols. The basic rationale was driven by the expectation that rank-and-file employees knew too little about network security to be troubled by it. One of the more popular methods from that time was the issuing of company-owned, and secured devices for employees to use while at work. Tablets, mobile phones and other devices were registered to individual users and data transfer on those devices could be tracked and identified more easily. Another approach, which is still popular, was to create a secure VPN, and have employees access documents through a secure portal. This helps ensure that any information transferred to and from a device is encrypted.
The Blurred Line vs. The Hardline
Ultimately a sound BYOD policy will acknowledge the fact that company data is company property, and personal data and devices are personal property, but where individual employees are using personal devices on company networks, whether to perform company related tasks, or personal ones, it must be made clear that the employer has the right to completely wipe the data on any device used at work at any time.
Opinions expressed by DZone contributors are their own.