In the previous post, we discussed how the bring-your-own-device (BYOD) trend is creating security headaches that organizations must address with a documented BYOD policy and better mobile security tools. The easiest course of action would be to simply ban employee-owned mobile devices, but that decision ignores two important facts. First, BYOD delivers tremendous business value when properly managed. Second, employees will use their own devices anyway. Organizations can improve the security of their BYOD environment by creating a culture in which mobile security is viewed as essential to business operations and a shared responsibility among all employees.
When this culture is established, it becomes easier to implement a BYOD policy that employees will embrace. However, a BYOD policy that’s too complex – complicated login procedures, overly restrictive rules, etc. – can hamper productivity and cause employees to look for workarounds. This not only causes BYOD to fail, but creates security and compliance issues that your policy was designed to prevent. Keep your BYOD policy as simple as possible.
When developing a BYOD policy, you must first ensure that any regulatory requirements are satisfied and corporate guidelines for handling sensitive data are followed. At the same time, you need to balance the protection of company data with respect for private employee data. Utilize user authentication, access controls and sophisticated encryption to protect sensitive information, and investigate tools that separate business and personal data.
Your BYOD policy should provide mandatory guidelines about specific devices, operating systems and applications that are supported by your organization. It should clarify ownership of certain types of data, including intellectual property created by the employee. It should include proper procedures for accessing, sharing and storing data, what applications are permitted on the company network and for what purpose, and what steps to take if a mobile device is compromised. The policy should also cover the procedures for recovering or removing data and applications from the devices of an employee who leaves the company. Because a large percentage of security breaches are the result of human error, employees should be trained on BYOD best practices on an ongoing basis.
When implementing a BYOD strategy, organizations should consider deploying a mobile device management (MDM) solution. MDM uses software to centrally manage the deployment, monitoring and configuration of mobile devices in order to optimize their functionality, performance and security. It allows administrators to remotely add or remove devices, distribute applications and data to the appropriate users and devices, enforce compliance policies, and deploy security patches across the organization. Many of these functions are automated.
One critical function of MDM is the ability to remotely wipe data from a lost or stolen device, or the device of a former employee. This will render the device useless and prevent sensitive data and applications from falling into the wrong hands. Of course, organizations must have a formal data backup strategy to ensure that company data isn’t lost when a device is wiped.
The SSD approach to IT is focused on maximizing productivity, and BYOD can help you do just that. Let us help you determine if your infrastructure will support BYOD, understand and implement MDM and other tools that minimize risk, and develop a BYOD policy that improves both productivity and security.