It's hard to believe you and your staff aren't using smartphones and tablets to access business information and applications to some degree these days. It’s clear that mobility can boost productivity and improve collaboration. But at what cost?
Whether the majority of your employees are Gen-Z or the over-40 set, we've all come to expect the convenience of using mobile devices for work. Despite the rush to be mobile though, according to a recent Trend Micro report 46% of companies that permit BYOD (Bring Your Own Device) reported experiencing a data or security breach as a result of an employee-owned device accessing the corporate network. And we're seeing more and more security breaches these days.
Clearly, organizations need to take steps toward protecting themselves, and their data, from the risks of lost or stolen mobile devices.
Whatever your own personal position is regarding allowing your employees access to your company's information via their mobile devices, at a minimum, you need to acknowledge that it's happening, there are security risks, and that you better get on board with managing them and securing your information before it's too late.
So, rather than fighting it or just turning a blind eye and hoping for the best, you need to start by having a policy in place. And the fastest and easiest way to address this is to simply incorporate this into your Computer Use Policy document. A subset within this needs to be your policy regarding BYOD.
While setting policies to govern the use of mobile devices is an essential part of any BYOD initiative, dictating usage can be a delicate balance. Some people might not welcome the idea that their company can determine what applications can be downloaded or that data and applications can be remotely deleted from their phones – especially their personal devices.
BYOD means new thinking for both companies and employees, including new approaches for security, new ways to manage applications, and a changing model for technical support. All of these areas can be wrapped up into the umbrella known as "Mobile Device Management".
That said, here are some key considerations for developing a Mobile Device Policy for your organization:
1. Define your business goals
First, determine how many employees will be bringing their own device vs. the company providing them. This will impact the initial capital outlays, the ongoing operating expenses, as well as the ongoing maintenance and support needs (and related costs). Determine whether your organization will pay for some or all of the cost of employees’ mobile devices or service plans. From there, you can develop your ROI model.
2. What is your risk tolerance?
Mobility shines a spotlight on new risks, as sensitive information is carried outside the four walls of your office. Understand your company's requirements for data protection, especially in highly sensitive environments where there may be legal or compliance issues or special protection needs for senior executives’ communications.
The applications and data on mobile devices, as well as usernames and passwords, can be valuable to cybercriminals. Risk varies by industry. For instance, healthcare providers and financial services firms (like Investment Advisors and CPA's) generally have tighter legal, compliance, and regulatory requirements. Your company's policies governing access to appropriate (or inappropriate) content should also be factored into your Computer Use Policy.
3. Start with your existing policies
In many cases, you can use the current policies for remote access or mobility to develop a new policy that governs all of mobility (to include personal devices). Identify gaps in the existing policy that should be addressed by the new mobility policy.
4. Develop your mobility use cases
Mobile workers come in all shapes and sizes, from road warriors to corridor warriors to visitors and contractors. They may need access to a variety of applications and information, some of which may be sensitive. Mobile devices may be fully trusted, such as company-owned laptops, tablets and smartphones, and these devices may be given broader access - while employee-owned or visitors’ smartphones, tablets and laptops may have more limited access. Set up specific policies that describe the access that’s appropriate to the different user roles.
5. How will you segregate personal and organizational intellectual property?
Successfully separating personal and company information on the mobile device enables you to manage your company’s information without affecting the individual’s personal information. This allows companies to remove business applications and data if an employee leaves without affecting their personal applications and data. Some applications and approaches keep the data off the mobile device entirely. Or you can use a container approach, such as through Mobile Device Management (MDM) software, that keeps corporate information separate - and where it can be appropriately secured.
6. Leverage Mobile Device Management software
Lost and stolen phones are a fact of life. MDM software will give you the ability to remotely lock or wipe lost or stolen mobile devices. MDM solutions typically also allow for over-the-air distribution of applications, data and configurations, which simplifies managing a large number of mobile devices, whether company owned or employee owned.
7. Clearly state the users’ responsibilities
It is a new reality of mobility that users have to accept more responsibility for protecting sensitive information and devices than they did in the days of desktop PCs only. And education is key. Clearly outlining the risks and users’ responsibilities in protecting themselves and the organization against security breaches is essential. Have employees sign the new mobility policy agreeing to use strong passwords as well as accept the "wipe if lost or terminated" policy. And above all - do NOT allow jailbreaking phones.
So there you have it. Some helpful hints to improve your BYOD policy. But at a minimum, make sure you at least have one in place.