BYOD And Policy Recommendations

“Bring Your Own Device” or BYOD is a complex can of worms – anyone who does not think so obviously have not been in a position to either support it, secure it or balance out who pays for what, whether they are running only remote desktops, local apps, etc.

From a recent Gartner Survey, IT departments around the world have listed BYOD (bring your own device) as one of, if not the top security concern they face today

BYOD imposes additional load on IT infrastructure, support and can add significantly to complexity.

Cutting costs to the business is a hotly debated component of BYOD implementation. Some people say that BYOD cuts costs by shifting buying power to employees. Other people believe that BYOD policies completely overlook the financial strain such a program would put on the IT department.

Then there are concerns over intellectual property. The most pressing concern for enterprise-class companies and SMBs alike is the security of intellectual property. When someone leaves the company, there is no way to guarantee that trade secrets and confidential company information will not be stolen. Companies would need to invest in remote wipe services to protect their IP.

In addition to security risks, unmonitored mobile devices pose the threat of data loss. Protecting against this involves increasing IT support to ensure high levels of data retention throughout the IT infrastructure.

There’s no one-size-fits-all solution for a problem like this. In creating a BYOD policy, you have to consider what devices you’ll need to support, how much access you will give employees, and what kind of budget you can allocate. Do you have specific compliance issues to contend with? Are you willing to subsidize data plans or device purchases? How do you ensure company data is kept safe?

The following is a list of some of our recommended guidelines.

  1. Make the BYOD policy required reading – All of your employees should read your BYOD policy and understand what is in it. Make the BYOD policy readily available and required reading by requiring that your employees either sign an agreement to follow the BYOD policy, or at the very least, sign a document that says they have read and understand your BYOD policy.
  2. Set expectations and requirements out clearly – this may mean added layers of security on the device and the knowledge that should a remote wipe operation be required, ALL data on the devices will be completely wiped, not just corporate data. Where possible enforce encryption as well.
  3. Make PIN / Password security mandatory. In researching these guidelines, every article, document and sample I have come across UNANIMOUSLY states that PIN or password security to the devices is a must have requirement and devices that do not adhere to this requirement are generally banned from use on the corporate network.
  4. Restrict the devices to be supported – Trying to accommodate every manner of smart device will significantly increase the IT department’s workload, infrastructure and security landscape. It might also be advantageous to only support specific device OS levels and versions as well.
  5. Clearly define what is accessible and how – Will access be from a native app (eg. Emails, Contacts, Calendaring) or through remote desktops (eg. Remote Desktop clients, Citrix Receiver, etc).
  6. Prepare an employee exit strategy – With BYOD, employees who leave your company no longer need return company-issued equipment and may still have access to sensitive material. Simply disabling access to the corporate account is no guarantee that sensitive or proprietary information does not still exist on the device. A complete wipe is strongly recommended.
  7. Similarly have an equipment loss strategy – if a connected device is lost (or even just cannot be found for an extended amount of time), when do you decide to perform a remote wipe ?
  8. Enforce the BYOD policy – Just writing a policy isn’t enough. Make sure that you are monitoring where your business’ data and files are being stored and moved to and take action against those who do not value the security.
  9. If manual policy enforcement becomes too much, consider investing in Mobile Device Management (MDM) software solutions.

Policies will often be at odds with user requirements and management must get behind the whole BYOD concept and the policies that support it otherwise you might as well just forget it.

Posted in: