BYOD SECURITY & POLICIES
BYOD: Bring Your Own Device, Secure BYOD Policies and Mobile Management
What is BYOD?
BYOD is short for “Bring Your Own Device,” a phrase that refers to the practice of allowing employees to bring their own mobile devices to work for use with company systems, software, networks, or information. BYOD has become a huge trend amongst enterprises, with nearly 1/3 of employees using personal devices at workplaces worldwide.1 BYOD can provide several key benefits to enterprises, including increased productivity, reduced IT and operating costs, better mobility for employees, and higher appeal when it comes to hiring and retaining employees. However, with these benefits comes an increased information security risk, as BYOD can lead to data breaches and increased liability for the organization.
BYOD Security through BYOD Policy
Establishing BYOD security starts with BYOD policy creation. A strong BYOD policy accomplishes several objectives for the organization. BYOD policy should address basic considerations such as the goals of the BYOD program, which employees can bring their own devices, which devices will be supported, and the access levels that employees are granted when using personal devices. Beyond these factors, more in-depth considerations for BYOD policy include:
- Who will pay for the devices and data coverage required?
- What regulations (government, industry, or otherwise) must be adhered to when using employee devices?
- What measures (configuration, software installation, etc) will be taken for securing devices prior to use?
- Where will data from BYOD devices be stored (locally, in the cloud, etc)?
- Will there be an agreement for employees that wish to bring their own devices?
- What happens if an employee violates BYOD policy?
- What privacy will be granted to employees using their own devices?
- What support (software updates, troubleshooting, maintenance, etc) will the organization provide for BYOD users?
- What safeguards are in place if a device is compromised?
- What methods will be used for securing devices before they are retired, sold, or disposed of?
Once a policy has been created, maintaining BYOD security depends on an organization’s ability to educate its employees on BYOD best practices, implement effective device management and support, and enforce BYOD policies. Employees that are not trained on BYOD security will only increase BYOD risks for the organization. Therefore, creating a sound BYOD program must be a collaborative effort between an organization’s employees, IT and security teams, and management.
Ten Tips for Securing Devices and Reducing BYOD Risks
These tips should serve as a BYOD security best practices guide for end users and IT/security teams alike. While it is impossible to guarantee BYOD security, following these recommendations will help organizations to mitigate BYOD risks by securing devices.
- Use password protected access controls: It may seem obvious, but setting a password/access PIN is a critical first step in BYOD security that many users choose to ignore. Passwords should be unique for each device/account and should not be generic or easy to guess.
- Control wireless network and service connectivity: Wi-Fi and Bluetooth connectivity should be turned off when not in use, and employees should only connect their devices to trusted networks. Devices should be set to prompt users before connecting to networks so that employees aren’t unknowingly connecting to unsafe networks.
- Control application access and permissions: Many devices have built-in access control features. Organizational IT and security teams should assist users in optimizing their access control and app permission settings so that each application can access only what it needs to function and nothing more.
- Keep OS, firmware, software, and applications up-to-date: Users need to ensure that all of their devices’ OS and other software are updated in real time. This is a critical step because software updates often contain security patches to protect users from the latest threats or exploits.
- Back up device data: All enterprise users should periodically back up the data on their devices. Backing up data in conjunction with having security and recovery procedures in place will greatly reduce the fallout should a device be lost or stolen.
- Enroll in “Find my Device” and remote wipe services: All BYOD devices should be subscribed to a device locator service. In addition to being able to track a missing device, these services usually have the ability to wipe a device remotely, a critical last-resort measure for ensuring BYOD security in the event of a lost or stolen device.
- Never store personal financial data on a device: Employees should avoid saving any financial or otherwise sensitive data on their devices. This precaution ensures that confidential data is safe even if a device gets compromised.
- Beware of free apps: Many free applications have been found to track users and share user information with advertisers or other third parties. Enterprise users should review app permissions prior to downloading and download only from trusted publishers. IT and security teams can assist employees by providing lists of applications that are approved for download.
- Run mobile antivirus software or scanning tools: There are many commercially available antivirus and security applications that scan and protect devices from common threats. IT and security teams should assist employees in selecting and installing antivirus software prior to using their devices at work.
- Use Mobile Device Management (MDM) software as recommended by IT: Many IT and security teams use Mobile Device Management (MDM) software for securing devices. Mobile device management software enables IT teams to implement security settings and software configurations on all devices that connect to company networks.