5 Problems Your BYOD Policy Should Cover
Bring Your Own Device, commonly referred to by its acronym, is becoming an increasingly popular trend in the workplace both in the cases of smaller businesses and large-scale enterprises. It presents a number of advantages, including reduced costs and a higher degree of employee freedom, but it’s not without its risks either. The risks involved are often quite complex as well, not least because businesses do not have the right to monitor their employees’ usage of their own devices. However, it is also necessary to enforce a security policy to reduce the risks of sensitive corporate information ending up in the wrong hands.
Increased Chances of Data Leakage
A BYOD program greatly increases the risk of data leakage, since you have no direct control over the devices concerned. When your employees are using their own devices for accessing company resources, such as email accounts and other cloud-based assets, they will need to follow an acceptable use policy. When it comes to security, mobile devices tend to be the weakest link, so your BYOD policy should always insist on regular software and operating system updates and the banning of using certain high-risk apps for work-related purposes. You should also require your team to use a VPN whenever accessing company resources from public Wi-Fi.
Devices owned and operated exclusively by the organization and its employees tend to run the same software and operating systems, which are all overseen by a network administrator who can address any security concerns on a system-wide basis. By contrast, a BYOD program inevitably involves a far broader range of devices and software, greatly increasing the potential security vulnerabilities involved. Again, a VPN can help reduce such risks, but you may also want to consider including only certain devices in your BYOD policy. Taking the view that, if you allow one device, you should allow everything else, is not a good idea.
Mixed Personal and Corporate Data
While businesses have complete control over their own IT assets to the extent they can disallow any personal data or usage on their own machines, it would be unreasonable to expect your employees to do the same with their own devices. Since mobile devices are at an increased risk of getting lost or stolen, it is imperative that any potentially sensitive data stored on them is adequately encrypted. Encryption will ensure that the data will remain safe even if it ends up in the wrong hands. Another way to mitigate the risks is to have a strict password policy in place, such as temporary one-time access passwords for those using their own device.
Your BYOD policy should clearly outline the requirements of any device that is allowed to be part of the program, taking into account any potentially problematic apps or hardware. For example, jailbroken iPhones are at increased risk of getting malicious apps on them, in which case you might want to exclude them from the program. Certain apps may also pose a problem, even if they are only intended to be used for personal reasons and not for accessing or working with any corporate data. As such, you may want to consider blacklisting certain apps in your policy and excluding any devices that use them.
Unhappy employees, especially those who have been discharged from a company on terms they deem unfavorable, are a common source of risk when it comes to sensitive corporate information falling into the wrong hands. Your BYOD policy should make it clear that any such information contained on employees’ devices is still the property of the company even after their departure. You may be able to monitor any continued access to things like cloud services your company uses from banned devices. However, you should also have your employees sign an acceptable use policy concerning the use of their mobile devices for work-related purposes.
All employees involved in your BYOD program should first sign an agreement that highlights important factors such as the following:
– Users are responsible for backing up and looking after their own data.
– Users are responsible for device updates and maintenance.
– Users must be prepared to remove blacklisted apps.
– Company network access will be restricted to non-compliant devices.
– Consequences of any violations to the policy must be clearly stated.
Ultimately, the success of any BYOD policy depends on your employees’ willingness to use their own devices in accordance with the rules you set, so it’s important to find the right compromise between the inherent risks involved and the freedom of your team.