BYOD is a relatively new provision for companies and employees wanting to stay on the cutting edge of technology, while utilizing convenient mobility solutions within the company. Instead of an organization determining and providing the hardware for work use, employees are allowed to bring their existing devices and use them for work purposes as well as for personal use. Now that this new culture has taken its place in the business world, policies must be established for full employee understanding of how BYOD fits in with company culture and IT security.
Naturally, deploying a BYOD environment comes with great concern for the security of critical business information as mobile threats are on the rise. Adhere to these best practices to ensure the protection of your sensitive data.
Establish device qualification standards. Not every device is enterprise ready, and specifications should be set on what a device can do and what security standards exist in order to fit within the standards of a BYOD system.
Establish device use guidelines. Everyone in the company should be on the same page, and know what can and cannot be accessed on the personal devices. While most business data pertaining to an employee’s job should be accessible in a BYOD environment, proprietary business information should be properly regulated and secured. Not everything should be accessible by every employee from every location. For example, CAD drawings for a new product or technology should only be accessed through a secure network, no public Wi-Fi allowed, and should be limited to devices such as home or office desktops to reduce the risk of stolen devices and subsequently stolen data. Intellectual property is also at grave risk due to the many uses and applications available on smartphones. Leaked or stolen smartphone videos of products-in-development can be compromising to a business. Guidelines restricting this type of use should be in place and agreed to by employees who bring their own devices.
Develop an exit strategy. Employees are always a risk when dealing with sensitive information. That risk is elevated in the situation of a termination, whether voluntary or involuntary. Since the device is for personal use as well, a strategy that secures business information in the event of a termination is pertinent in a BYOD environment. A business must have the ability to remotely restrict access to corporate email as well as locking the terminated employee out of business servers, applications, and folders accessible on mobile devices.
Limit the availability and locations of corporate data. Corporate data needs to be isolated on a device, regarding email accounts, VPNs, business applications and folders, etc. Since they function as personal devices, there is more information on the device for non-work purposes that should be kept separate from work related information. Policies to restrict IT access or hide personal information on the device should be in place to maintain a separation of work and personal information. A clear distinction of what is considered a business record, how it should be used, saved, accessed, etc. should be established by the enterprise and not left at the discretion of the user. Records such as HR data, employee PII, or financial records are strictly governed and regulated and must be secure in order to adhere to compliance and regulation laws.
Secure hardware and software. In case a device is lost or stolen, procedures need to be in place to prevent potential data loss. Securing the hardware itself is a no-brainer, with a 4- or 6-digit numeric passcode, fingerprint scan, alphanumeric passcode, or other methods of restricting access to the device. The next step includes providing anti-virus, anti-malware and other threat identifying software to minimize the risk of internet hackers or toxic applications being downloaded and used. For a comprehensive security strategy, securing information itself with data-centric technologies such as with Microsoft RMS is a final step to ensure the information accessed on mobile devices is protected. However, in the event a device is lost or stolen, an enterprise needs to have the ability to remotely wipe the device of all corporate data, and even personal information if necessary, to prevent private information from getting in the wrong hands.
Although BYOD raises concerns for information security, it has made waves in modern corporate culture. Employees are mobile and the work needs to go with them. Protecting data at the source is the ultimate way to ensure security of all business information, no matter where it travels. Protect your data now and reduce the risk of being the next data breach headliner.