Do you have a BYOD security policy? You should ff you require your employees to use their own cell phone or tablet during the day or after hours to respond to business calls or emails. Do they choose to bring and use their own laptop instead of, or in addition to, their desktop computer? You’re now part of the BYOD (Bring Your Own Device) movement. You’ve got a whole new set of potential security risks for your company data and your network.
“Bring your own device” is the practice of allowing employees to use their own laptops, smartphones or other devices for work, either in the office, from the road or from home.
Of course, when the practice first began, there probably wasn’t much discussion of “allowing” employees to do it. People just did what they needed to do to get their job done. Some may have used their devices because they liked and preferred their own tools. There were probably a lot of people who did it because they had better technology than their company.
The largest employer in the world, the U.S. government, has tried to wrap their mind around the implications by creating a nearly 12,000 word guide to creating a BYOD security policy. Here’s an excerpt:
“Implementation of a BYOD program presents agencies with a myriad of security, policy, technical, and legal challenges not only to internal communications, but also to relationships and trust with business and government partners. The magnitude of the issues is a function of both the sensitivity of the underlying data and the amount of processing and data storage allowed on the personal device based on the technical approach adopted. Generally speaking, there are three high-level means of implementing a BYOD program:
“- Virtualization: Provide remote access to computing resources so that no data or corporate application processing is stored or conducted on the personal device;
“- Walled garden: Contain data or corporate application processing within a secure application on the personal device so that it is segregated from personal data;
“- Limited separation: Allow co-mingled corporate and personal data and/or application processing on the personal device with policies enacted to ensure minimum security controls are still satisfied.”
Got that? Nothing like government-speak to clarify an issue. All kidding aside, they’ve made some useful points in this document. Let me translate.
There are a lot of challenges for your business. You’ve got to deal with it internally. Make sure that your employees know how to handle it. And you’ve got to deal with the way it affects relationships with your vendors and clients. How big of a risk it is depends on how much you allow employees to access:
Virtualization allows them to access data from their device, but nothing is stored or left on the device. It stays on the original server. It’s like viewing the data through a window; you can see what’s going on but you can’t touch it, make copies or carry it away.
Walled garden means they can process and store company data on their device, but it is used and kept separate from their personal information. You can walk into a room with the company data, but you have to back out of that room and go into another one to use personal apps.
Limited separation: Things can be used together on the same device, but there needs to be security precautions. You can use what you like on your laptop or phone, but you need some basic security, such as a login password.
It’s a powerful trend that grew quickly because it’s incredibly convenient and productive. Employees can access the data, applications and contacts that they need whether they are in the office, out on an appointment or just catching up a bit at home. But the risk is there because these devices aren’t directly controlled or monitored by your I.T. support. You don’t know if they are up-to-date on anti-virus or application patches. You don’t know how secure the device is and if there’s any company data on it or if there’s easy access to the business files through apps installed on the device. Unless you have created a policy and enforce the level of security that you’ve established.
The White House’s Digital Government BYOD page has a very comprehensive policy template which could be a useful starting point. A web search for “sample byod security policy templates” will give you a broad idea of what to cover in a policy. It’s better, though, to customize your policy based on your industry, your business and your employees’ preferences. Your best option is to let your I.T. support company build a BYOD security policy designed with your business and your preferences in mind. A great I.T. firm can create and update the policy for you as well, because technology is not done growing and changing.
To further complicate matters, you need to also reimburse employees if you require them to use personal devices for work. The California Court of Appeals ruled in August of 2014 that companies must reimburse employees for work-related use of personal cellphones. Now, this is specifically for when a worker is required to use their own device for work and for the moment only includes phone calls, but it does open the door to further regulation especially for data usage.
It also specifically says when the employee is “required” to use their personal phone for business. This makes having a BYOD policy even more critical because it protects your employees, your data and your accountant (from going crazy trying to reimburse employees for every phone call).
What You Should Do About BYOD Security
As a business owner, here’s what you should know about the future of BYOD and how to manage it in your workplace:
- Add it to your I.T. policy. Make sure that the use of personal mobile devices are part of your I.T. policy and that employees know which devices – and possibly job roles – will be allowed to access company data, emails or applications through their own devices.
- Protect and control access. If employees have access to company information on their phone, have them agree to password protect their device, maintain updates and monitor for malware.
- Help them get help. Decide whether they are on their own for support on these devices or if your I.T. will help just those who are required to use their devices for business.
- Specify what they can do. Take calls and answer email only? Or download and upload files? Access accounting? You may want to allow certain levels of access for certain job roles.
- Monitor for security and productivity. This may be simply checking to make sure that your network is protected and constantly monitored. Or, if you have a larger workforce, using their devices on a regular basis to get their daily work done, you may want to invest in a mobile device management (MDM) tool.
Have questions about the risks or additional support that you and your employees may need for your mobile devices? Wondering if you need more monitoring or looking for ideas on protecting your business and your employees from outside risks coming through their devices? Contact me, J. Colin Petersen, President & CEO of J – I.T. Outsource, for a comprehensive policy evaluation.