Whether you’ve already jumped on the Bring Your Own Device (BYOD) bandwagon for some devices like smartphones and tablets and are thinking about adding others, or whether you’re just now thinking about BYOD, there are a few things to consider. First and utmost, is security.
If users can connect their own devices to the network in any way, such as physically or remotely, there’s a risk that if their devices are infected, they could infect the network. There’s also the risk that when employees open company emails or download company data onto their own devices, that data could be exposed to a company outsider who obtains physical access of someone’s personal device. In addition to being liable for exposing customer data, your company could be liable if either intentionally or unintentionally the employee’s personal data is removed during a wipe. A few companies have been sued for that, and at least one has had to pay remuneration to an employee after his personal data was inadvertently wiped.
Whether or not you have formally defined a BYOD policy, there is a de-facto one in place. Unless you are using physical controls to prohibit employees from plugging personal devices into your network or from connecting to your email server, people are probably already doing so. In an April 2014 survey conducted by Gartner, researchers asked employees (n-955), “Does your employer know that you use your personal device(s) for work?” They discovered 19 percent of employees said “Don’t know if my employer is aware,” and 7 percent said “No – my employer is unaware.” You need a formal BYOD plan with physical controls to either allow or disallow people to connect to the network with personal devices.
To ensure you have the right BYOD plan, decide who in your organization needs access to what things. Different levels of employees will have different needs, so consider tiered-level access. Hourly employees may need no access or only limited access to email. Employees who only need to check emails could click on a link that lets them access email via a Web portal, which could enforce access solely with a PIN. However, that sole type of control could leave the company vulnerable if an employee were to also download an email attachment as it then could be visible to anyone else who accesses the phone. If you choose only a PIN option to allow personal devices to access email, you could put a controlled security policy into place that prevents people from downloading attachments to their own devices.
For employees that may need to open email attachments, use company applications or access company documents on their own mobile devices, set up a company-wide policy that uses a containerized application, or a secure workspace, such as AirWatch or Dell Mobile Workspace. With those types of security controls in place, employees would need to download the secured workspace application on their phones, ensuring that all company conducted business goes into a secure containerized portion on their personal devices. Your mobile administrator would then be able to track what documents and applications on the network are being accessed and would be able to wipe the containerized portion when an employee leaves the company or when the phone is lost or stolen.
Although BYOD continues to grow in the workplace, if you’re thinking BYOD will save your organization money, you could be in for a surprise. In a study conducted by Gartner published last May, the researchers found “A roughly equal number of organizations say they are spending more money as a result of BYO as those that are spending less. . . the payoff is more in soft benefits like employee satisfaction and productivity, or in opening up new opportunities for applications to the broader workforce.” There’s a cost to managing the programs, and securing devices and company data.
Tips to Manage the Security Risks of BYOD
Decide up front which devices you will allow.
- Employers should never rely on employees to protect corporate data on mobile devices. Employees routinely disregard and ignore policy, and so it falls upon employers to build out strong Mobile Device Management controls (typically by leveraging vendor toolsets that emphasize data protection). Data protection is one of the key requirements for mobile security and a large area of improvement for the Mobile device industry at large.
- Employees should know corporate BYOD policy well and sign off on it. Most corporate BYOD policies allow the entire device, which includes personal information and photos that have not yet been backed up, to be wiped remotely by company systems administrators. Even though some employers say they won’t wipe personal data, they accidentally could.
- Employees should Backup! Remote device wipes do happen accidentally. Employees should regularly back up their devices so they can recover personal information.
- Employees should follow good cyber security hygiene with mobile devices:
- Always password-protect your device.
- Remember that simple passwords are easily captured by “shoulder surfers.” Just as you would do at an ATM – be sure to cover the keypad as you enter in your password.
- Keep your device up-to-date with the most recent security updates and patches.
 Gartner, April 2014 (from Chris Silva’s February 2015 presentation “Avoiding BYOD’s Policy Pitfalls”* N = 995 Note: Includes mobile phones, notebook and tablet PCs, and tablets)