Earlier this year, the coronavirus had many organizations sending employees home to keep them safe. As a result, BYOD environments jumped into the spotlight. BYOD (bring-your-own-device) is the practice of allowing employees to use their own computers, smartphones, or other devices for work purposes. Companies are turning to a BYOD environment because it reduces technology costs, takes advantage of new devices and cutting-edge features, and allows employees to work on devices they’re already comfortable with. In addition, the cloud makes it easy to access applications and data from anywhere and any mobile device — but, with this convenience, comes risk.
A BYOD environment requires strategic planning to be successful, with security a top concern. However, keeping endless amounts of personal mobile devices secure is a challenge. Exposing proprietary data or opening the door to hackers and attackers can cost a company millions. In addition, employee productivity and safety can be compromised. The National Institute of Standards and Technology (NIST) lists these high-level threats and vulnerabilities of mobile devices: lack of physical security controls, use of untrusted mobile devices, use of untrusted networks, use of untrusted applications, interaction with other systems, use of untrusted content, and use of location services.
To enhance security in your BYOD environment, consider the following five strategies.
Create a written BYOD policy.
A successful BYOD environment is only possible with a formal, specific, and comprehensive BYOD policy. The policy should set the rules regarding allowed devices, usage, and best practices for security. Moreover, it should also be easily accessible and visible to all your employees. Some companies opt to create a policy internally; however, the depth and specificity needed within the policy usually requires outsourcing to a managed mobility service (MMS) provider. Your MMS provider can assist in crafting a BYOD policy that includes:
- What applications the BYOD environment supports
- Which departments/employees can use personal devices and under what circumstances
- Type(s) of devices allowed
- Applications and assets employees can access on their personal devices.
- Minimum required security controls for each type of device, including password requirements
- Company rights to access and alter the device (e.g., remote wiping)
- Where and how company data should be stored
- Allowances for data sharing (e.g., Dropbox)
- Mandated device updates/upgrades
- Outlining support responsibility – company or employee (e.g., what happens if an employee downloads a personal app that has a virus?)
- Employee privacy
- Lost or stolen device protection
Educate your employees.
BYOD policies are only successful if your employees understand the requirements. Therefore, it’s critical that user training introduces employees to security and policy guidelines and, above all, allows IT and leadership to set clear expectations. Essential elements of BYOD environment training include:
- The rational of BYOD and what it means to your organization
- Onboarding BYOD device process
- Data ownership policies (e.g., corporate vs. personal email, social network access)
- How to access corporate applications and assets from a BYOD device (e.g., virtual private network [VPN], corporate email)
- BYOD device security policies
- Technical support and escalation paths
- Roles and responsibilities of BYOD users
- Employee expense reimbursements and/or stipends (or lack thereof)
Address the application risk.
Mobile devices are no longer just communication tools. From maps, to social networking, to productivity tools, to games — apps change the way we feel and interact with computing. Although apps provide a whole new level of innovative experiences, it also increases the security risk in a BYOD environment. The security risks associated with apps can be in:
- Malicious apps (malware): the increase in the number of apps on the device increases the likelihood that some may contain malicious code or security holes.
- App vulnerabilities: apps developed or deployed by the organization to enable access to corporate data may contain security weaknesses.
To effectively counter these risks, consider the following:
- Utilize services that enable data sharing between BYOD devices.
- Protect both company-issued and BYOD devices by using a standardized mobile anti-virus program.
- Manage apps through an in-house app store or a mobile app management product.
- Ensure that BYOD security policies cover mobile app development and download.
- Assess the need for new apps continuously to increase productivity and security.
- Leverage third-party experts to bridge assessment skills gaps.
Use only tried-and-trusted cloud service providers.
Not storing confidential company information locally is possible, even in a BYOD environment, by utilizing the cloud. But, selecting the most suitable cloud solution for your needs can be daunting, especially with so many options now available. BYOD adds additional complexity. However, by asking the right questions and leveraging the know-how of cloud experts, you can be confident in choosing the right cloud provider for your business needs.
- What types of cloud services does the company offer?
- Do they have specific security policies/guarantees relating to BYOD?
- What is the pricing structure?
- How scalable and flexible are they?
- What customer support services do they offer?
- Is the datacenter in a secure location/country and what steps do they take to secure it?
- How secure is their cloud and what roles/responsibilities do they have with security versus your IT?
- What is the approach to data loss prevention?
- Are they different access requirements for BYOD vs. corporate liable assets?
- Under what circumstances will they take responsibility for hacks and/or data breaches?
Shore up your BYOD environment cybersecurity measures.
Because of the growing depth and breadth of cybersecurity threats — and bad actors who get bolder and savvier all the time — it’s hard to stay on top of security measures, even for organizations with large IT departments.
Personal devices are more susceptible to issues like malware. But, companies need to ensure that security mechanisms are up to date, installed and active on any device employees use for work. Security measures to consider include firewalls, anti-virus detection, multifactor user authentication and data encryption, and routine security audits. In addition, it’s vital to provide employees with info on how to install these mechanisms and remind them to keep these tools updated.
In the current economic environment, companies are demanding more productivity from their employees. Similarly, employees are also demanding more flexibility in the work culture, including working remotely. A BYOD environment can raise employee productivity and provide significant competitive advantage. Lower technology costs and easy information access are also key benefits. BYOD comes with a risk, however. Using these strategies will ensure a successful BYOD environment and give you confidence that your company information remains secure.