Bring Your Own Device (BYOD) means bring your own device policy remains both an opportunity and a challenge, but it’s possible to capitalize on the benefits without adding risk by following these guidelines on this BYOD blog.
When employees are allowed to bring their own devices into the workplace, there is a higher risk of introducing security risks. Previously only company-issued devices were used in the workplace.
Devices at Work vs. Devices for Work
Employees are constantly at risk of security breaches, either through email or accessing company applications on their own devices.
The difference is that in the one case, employees are using their personal devices at work; and in the other case, they’re using them to conduct work. Devices that come into a company but don’t have access to its network, usually aren’t problematic as long as there’s strict BYOD policy and enforcement.
The Challenges of BYOD Security
Businesses are struggling with BYOD security because they need to exert some form of control over smartphones, tablets, and laptops that belong to employees instead of the company. As more businesses adopt BYOD policy due to awareness about these risks growing, it will become easier for companies.
More and more companies are allowing employees to use their own devices for work, which means they can be happier because it is easier to access the apps that suit them best.
About one-fourth of the survey respondents were not adopting BYOD because they felt it would introduce vulnerabilities to their company’s network and data.
The Need for BYOD security
A recent study shows that the BYOD market will reach $350 billion by 2022, and significant growth is expected in this area between 2020 and 2026. This is driven mainly by people wanting to use their smartphones for work-related tasks such as sending emails when they’re outside of the office.
With the COVID-19 pandemic in 2020, companies were forced to let people work from home. A lot of employees began using their personal devices for company-related tasks even if they weren’t supposed to.
In this study, it’s shown that employees will use their personal devices for business, whether or not the company knows and has a policy against using them. The companies who ignore these findings are ignoring what could be serious security risks.
Some companies embrace BYOD and some don’t. Some of the benefits include increased employee productivity, greater satisfaction with work-life balance, and a safer environment for employees because they’re not bringing their own devices to work.
Stakeholder and Employee Buy-In
When companies are faced with BYOD, they want to make sure their policies are in line. The first step is getting buy-in from stakeholders and employees.
Various departments in the company should be represented on a BYOD project management team, and they all have their own perspective to offer.
In order to have an effective BYOD policy, the company needs input from employees. If they don’t participate in creating it, there is a chance that policies will be too restrictive or not offer support for what devices are used.
An employee survey is the best way to get data about what devices employees are using, and which ones they would like to use in the future. You can also learn how comfortable people feel with their company’s BYOD policy.
Defining a BYOD security policy
It is important to have a BYOD policy in order to maintain security when employees are bringing their own devices. TechTarget has outlined some essential elements of the BYOD policy, including:
- The acceptable use policy should specify what applications and assets, employees can access from their personal devices.
- There are minimum security controls that every device should have.
- Company-provided components, such as device authentication with SSL certificates
- Some companies have the right to remotely wipe devices if they are lost or stolen.
Security is a big issue with BYOD policy, and even something as simple as requiring passwords can be really effective for employees. They’re motivated to follow the policy if it’s clear that there are consequences.
Your BYOD policy should also include a service policy for personal devices, including what support is available from IT when employees connect to the company network and how they can resolve conflicts between applications on their phone versus those that are provided by work.
When it comes to BYOD policy, there are a few things that need to be outlined. These include the ownership of apps and data as well as what applications are permitted or not allowed.
When an employee leaves the company, it is crucial to have a clear, policy that explains what will happen to their device. You should also include in your written policies how IT wipes devices when employees leave.
In addition to that, companies should be able to inform employees of their liability in the event a device is wiped for security purposes. They also need to mention what happens if an employee leaks sensitive company data due negligence or misuse.
BYOD POLICY EXAMPLE FOR MANAGERS
It’s important to have a strong policy and proper implementation of it. The first thing is making sure that employees are aware of the policies, so they don’t unknowingly break them.
Password Provisions
When it comes to sensitive information, password protections are non-negotiable. Strong passwords on mobile devices and computers is a must for organizations.
Privacy Provisions
Personal devices are used for work purposes, but company data is not supposed to be on these personal devices. Privacy needs to be a concern in this situation.
Data Transfer Provisions
If someone is using an app that’s not approved for transferring data, and this application has a breach, there can be serious legal ramifications. Data should be encrypted with passwords to protect it from being transferred on other apps.
Proper Maintenance/Updates
Companies need to make sure they are up-to-date with patches and updates. They should also include protecting their devices in any policy.
Common Sense Provisions
Technology is a double-edged sword. While it can help people do their jobs more efficiently, there are also problems that come with it.
- No BYOD device use while driving
- It’s important to be focused on the task at hand and not get distracted by personal calls.
- Do not take video (except possible in areas like break rooms with coworker permission).
- Approved Applications -there are a number of apps used in the workplace. One study found employees use more than five business applications every day. Without a firm list of approved programs, your team may establish their own apps to use. Make sure to include dedicated secure messaging, email, CRM, and other apps and explicitly forbid the use of unapproved programs. Upon Termination Leaving company data on a personal device when that person retires, finds work elsewhere, or possibly gets terminated is a bad idea. Even worse is not having a specific set of procedures when this occurs. Upon any termination, an organization is obliged to ensure all data is removed from the device and permissions removed from company applications.
- Data Wipe Procedures. The complexity of wiping data from an employee’s phone, tablet, or computer is enough to make some businesses provide all devices to employees. Parsing through multiple email accounts and deleting certain things from apps used for both private and company affairs isn’t easy. It’s for these reasons the steps are clearly laid out in the policy.
- Accountability Provisions: a policy with a list of guidelines, yet without clear disciplinary action for failing to abide by those provisions, means your policy has no teeth. Your policy should describe in detail how accountability is tracked, measured, and enforced. Every member of the team should understand not only how devices are to be used, but also the consequences of failing to keep company data safe.
- Evaluate Your Technology Capabilities: In addition to creating and communicating your BYOD policy, you must ensure that you have the right technology resources at your disposal. An evaluation of your current capabilities will help to identify and fill these gaps to ensure a successful BYOD rollout.
- Lack of oversight is one of the most common concerns surrounding BYOD implementation. Companies implementing BYOD policies need to have adequate staff in their IT support departments to help employees get set up and provide ongoing support and monitoring. Not all solutions are compatible with all BYOD device security or operating systems.
- Companies may opt to purchase a software solution with cross-device compatibility, or they may place greater importance on features and offer a different solution for different devices and OS.
- Companies should implement measures and procedures for verifying the installation of security solutions on all devices accessing company data. They should also create protocols for identifying and enforcing policies related to the evaluation of the risks of various apps and determining which specific applications are deemed safe as well as which applications should be prohibited. Finally, if reimbursement is included in the BYOD policy, budgetary issues should be considered and appropriate resources allocated for this purpose.
- Considering BYOD device security Solutions: once your systems and protocols are in place, providing ongoing employee education on the importance of acceptable use as well as basic data security hygiene is critical for BYOD success. Beyond this, the right security solutions can minimize your BYOD risk and enable your policy to run smoothly. There are several elements that should be addressed by an effective BYOD security solution. The ideal solution is one that encompasses several or all of these elements and facilitates a comprehensive mobile security strategy. Below are short descriptions of various security measures which may be used as part of a comprehensive BYOD security program.
- Encryption for data at rest and in transit because BYOD usage takes data outside of the control of many other enterprise security measures, it is important that organizations encrypt sensitive data at rest and in transit. Encryption ensures that the contents of sensitive files are protected even in a worst-case scenario such as a stolen device or traffic being intercepted over an unsecure network.
- Requiring the use of strong passwords offers some protection, but encryption is better. As this article on the InfoSec Institute notes, “To ensure protection, organizations need to implement encryption for the entire duration of the data lifecycle (in-transit and at-rest). And to prevent unauthorized access and maintain the encryption in case of a security breach, the IT department of the concerned organization should take control of encryption keys.”
- Application installation control. There are some controls available with certain devices and operating systems that IT can utilize to exert control over the apps installed on an employee’s device. For instance, Apple iOS devices can be configured to deny access to the App Store, and for Android devices, companies can make use of Android Enterprise for a managed Google Play portal that contains only approved applications (among many other useful features for BYOD). However, restricting an employee’s ability to download or install applications on their own devices for personal use isn’t a practical solution for most companies. These methods are similar to measures taken for parental control purposes, so naturally, employees are likely to feel as though this is an infringement on their personal freedoms. Most employees have the expectation that they will be able to use their personal devices as they choose when they’re not on the clock, conducting business, or connected to a secured company network, making other solutions more practical for BYOD security. It’s worth noting that Android Enterprise offers a containerized environment to separate work and personal applications and data, which allows companies to have better control over devices used for work purposes without limiting an employee’s personal use of their device. We’ll discuss containerization in more detail below.
- Mobile device management: Mobile device management (MDM) solutions offer a balance between total control for employers and total freedom for employees, offering the ability to deploy, secure, and integrate devices into a network and then monitor and manage those devices centrally. The MDM field is still finding its footing and is not without its share of problems. For instance, this article in CIO reports that some enterprises could take advantage of more advanced features available with MDM, creating a less-than-ideal user experience that’s too restrictive and leading employees to resist the enterprise’s BYOD program.
- Containerization is increasingly being offered in conjunction with (or paired with) MDM solutions. Containerization is a method by which a portion of a device can essentially be segregated into its own protected bubble, protected by a separate password and regulated by a separate set of policies, from the remainder of the applications and content on the device. This allows employees to enjoy full, uninhibited use of their devices on their own time without introducing security risks to the company’s network. When a user is logged into the containerized area, personal apps and other features not managed by the container are inaccessible. Containerization is an appealing solution that doesn’t limit employees’ ability to use their personal devices as they choose, while eliminating the possibility of employees using or accessing apps that don’t meet the company’s security threshold when working. Containerization limits corporate liability without impacting personal use, but on the downside, it doesn’t protect employees’ personal data on devices that are lost or stolen and must be wiped. This is a challenge that’s easily overcome with proper personal data backup.
- Blacklisting is a term that describes the process of blocking or prohibiting specific applications that are determined to pose a risk to enterprise security. Blacklisting is also a method some companies use to restrict employee access to apps that can hinder productivity, such as games or social networking apps. File-sharing services are another category of apps that often find themselves on blacklists, as companies fear that sensitive information could be shared with unauthorized third parties, either intentionally or inadvertently, by employees. While it can be effective by limiting access to applications that don’t meet your company’s security criteria, blacklisting is not often used for BYOD, as the process means controlling access to applications on employees’ personal devices both during work and during off-hours. Naturally, this poses an issue for some employees who enjoy playing Pokémon GO when they’re not at work.
- Whitelisting is simply the opposite of blacklisting. Instead of blocking access to a list of specific applications, whitelisting allows access only to a list of approved applications. It’s often considered a more effective process simply because of the sheer number of applications and websites that exist. Waiting until an employee has downloaded an app and used it to transmit data to determine that it poses a security risk is sometimes too little, too late. Whitelisting circumvents this issue by simply not allowing access to anything unless it has been pre-approved as safe by IT. Of course, like blacklisting, this can create problems for BYOD by blocking employees’ access to apps that they might want to use when they’re not at work. There are a variety of other security measures that are sometimes used as part of a comprehensive BYOD security program. Antivirus software installed on individual devices, for instance, is often a staple of such security programs. Companies may purchase a volume license and install software on BYOD devices or simply require employees to install their own and verify with IT that their devices are protected. With more malware targeting mobile devices, the risk of such a malicious program impacting the company network by way of an employee’s personal device is very real.
- Monitoring is another component sometimes used as part of a BYOD security program, albeit with mixed opinions. IT could implement systems that monitor the GPS location of employee devices, or Internet traffic on individual devices. While these monitoring systems can prove beneficial for detecting unusual activity or locating a lost device, many consider these solutions to venture too far into employees’ privacy.
- The bottom line is that BYOD security, like enterprise security, requires a multi-faceted approach that addresses the potential risks while minimizing intrusions on employee privacy and usability when it comes to personal use. Context-aware security solutions that provide control over user access, applications, network connectivity, and devices, in addition to encryption capabilities, combine the key elements necessary for ensuring enterprise security in the BYOD landscape. Enterprises embracing these solutions capitalize on the benefits and reap the rewards of BYOD, such as employee productivity and satisfaction due to greater work-life balance, while effectively mitigating the security risks that once plagued companies adopting BYOD.
Approved Applications
There are many apps that people use in the workplace, and some of them may not be approved. It’s important to include secure messaging, emailing tools like CRM or other programs on a list of what is allowed for employees.
Upon Termination
When a person leaves the company, they should never take any data with them. This is especially true if an employee has been terminated because their access to anything on that device will be revoked.
Data Wipe Procedures
Companies are more aware of the difficulty in wiping data from devices. They want to avoid any issues with personal and company use so they provide their employees with all necessary equipment.
Accountability Provisions
You need to make sure you have clear guidelines, but also know how accountability is tracked and enforced.
Evaluate Your Technology Capabilities
You should make sure you have the right technology in place before implementing BYOD. You need to evaluate your current capabilities and identify any gaps that could lead to a failed rollout.
One of the most common concerns with BYOD policies is that there’s not enough IT support staff to help employees get set up and provide ongoing support. There are some solutions that work for everyone, but others don’t work on every device.
Companies should consider allocating more money for BYOD reimbursement if they want to give their employees the option of bringing in a personal device. They also need to make sure that policies are set up so people can’t download apps on company devices without permission from IT, and decide what communication protocols will be used when an employee is fired.
Considering BYOD Security Solutions
Once your systems and protocols are in place, providing ongoing employee education on the importance of acceptable use as well as basic data security hygiene is critical for BYOD success. Beyond this, you’ll need to make sure that you have the right solutions: There should be several elements that will help minimize risk and support a successful policy.
It’s not enough to just have a diverse workforce, but it is important that the culture of an organization be inclusive and welcoming
Encryption for data at rest and in transit
BYOD usage takes data outside of the control of many other enterprise security measures, so it’s important to encrypt sensitive files. This ensures that even in a worst-case scenario like theft or interception over an unsecure network, the file contents are protected.
Strong passwords offer some protection, but encryption is better. As this article on the InfoSec Institute notes, “To ensure protection and prevent unauthorized access to data in-transit or at rest, organizations need to implement encryption for the entire duration of a file’s lifecycle (in transit and at rest). To maintain control over keys in case of security breaches though they should be under IT department management.”
Application installation control
IT can control the apps employees install on their devices with certain features.
Employees can’t download and install applications on their own devices for personal use, which is a violation of their rights. There are other solutions that allow employees to have better control over work purposes without limiting an employee’s personal use of the device.
Mobile device management
Mobile device management solutions offer a balance between total control and freedom for employees, but these systems are not perfect.
Containerization
Containerization is a new method for companies that allows employees to use their personal devices with no restrictions while at work. Containerized areas are separate from the rest of the device and password protected, which keeps all company data safe.
Containerization limits corporate liability without impacting personal use, but on the downside, it doesn’t protect employees’ personal data if their devices are lost or stolen. This can be overcome by doing proper backups of your own personal data.
Blacklisting
Blacklisting is the process of blocking or prohibiting specific applications that are determined to pose a risk to enterprise security. Blacklisting also refers to restricting employee access by companies who fear sensitive information could be shared with unauthorized third parties, either intentionally or inadvertently, by employees.
Blacklisting is not often used for BYOD, because it restricts access to applications on employees’ personal devices, both during work and off-hours. This can be a problem for some people who enjoy playing Pokémon GO when they’re not at work.
Whitelisting
Whitelisting is when you allow specific programs, instead of blocking access to the list. It’s better because with all the apps out there it can be hard to keep track.
The whitelisting approach just means that you’re not allowed to access anything unless it has been pre-approved by IT. Of course, this can cause problems for BYOD because employees might want to use certain apps when they are not at work.
Other BYOD security measures
There are a number of other security measures that may be used in conjunction with BYOD. For instance, antivirus software installed on individual devices is often an important part of such programs.
Monitoring is sometimes used in BYOD security programs, but many people think this goes too far into employee privacy.
The bottom line is that BYOD security, like enterprise security, requires a multi-faceted approach to mitigate the risks while also allowing employees their privacy and usability when it comes to personal use. Context-aware solutions offer control over user access, applications on devices with network connectivity and encryption capabilities which combine all of the key elements for ensuring this in an environment where enterprises are embracing these types of strategies.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.