A Set of Recommendations for Establishing a Secure Policy Around BYOD
As a provider of IT and security solutions, we are always surprised when an older topic like BYOD receives new attention. As of late, we have had several questions about whether to allow personal laptops and devices access to the network. We firmly believe businesses have a choice in whether or not these devices be given access to the network. But, unlike most articles around BYOD, we are taking the approach that not all devices are the same. We suggest you categorize laptops and personal devices such as smartphones and tablets into two separate categories. In this blog, we hope to leave you with a guide that provides practical and relevant advice on how you can implement a BYOD policy that addresses both categories, and aligns with the way your team accesses the network.
BYOD, or Bring Your Own Device was a term first coined back in 2009 when CIOs were starting to feel pressure as personal devices flooded the workplace. At that time Blackberry revolutionized the way we checked email, the iPad was hot on the market and Android was picking upstream. The surge of new devices led to employees bringing more smartphones and tablets to work, which IT was continuing to allow without much support.
“Bring your own device (BYOD) means the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smartphones) to their workplace, and use those devices to access privileged company information and applications.– Wikipedia
Fast forward ten years. Every employee comes to the office with a smartphone or some type of personal device. Many employees expect to be able to connect their device (laptop, smartphone, tablet) to either the company WIFI and/or network. The line of business managers further propagates this on-demand expectation by using their own devices to download apps and SaaS products, often bypassing IT altogether.
Here in lies the problem. How does a small business implement and enforce a BYOD policy that addresses the use of personal devices on the network while protecting customer data?
Why would an Employer allow the use of personal devices in the workplace?
In the interest of avoiding the initial investment required to purchase laptops for every employee, companies are encouraging their team to work from their personal devices, especially in the case of sub-contracted, part-time or seasonal workers. Employees need access to the internal network (data, applications, printers, etc.) to work. The question every employer eventually has to ask themselves is whether the cost savings of allowing employees to bring their own devices outweighs the risk of allowing non-company devices to be introduced to the network and ultimately to your customer data.
Are all devices to be treated equally?
BYO–Device should not be a catch-all policy. Not all devices represent the same security risk.
Smart devices and tablets are consumption tools, and employees tend to use them for a variety of reasons. Smartphones, if requiring access to company WIFI, can be logged into the Guest WIFI avoiding direct access to your network. Additionally, the smartphone does not come with a Windows operating system, and therefore does not typically circulate viruses and other security threats to the network…yet!
By contrast, a laptop is a working tool. It must access the network and internal resources to enable the employee to do their job. Once access is granted to a personal laptop, it then becomes a platform that introduces risk to your network, and where there is risk, you are forced to defend against it.
After all, what could go wrong?
Employees will ask, “What could go wrong? I am only using my laptop to check my email and access Dropbox files.” And if you were Neo from the Matrix and you could see what was really happening inside the machine, it would look something like this:
- The email account just accessed the server which connected the employee’s laptop to the company database containing customer information.
- The server returned live customer data to the employee’s laptop.
- Dropbox is accessed returning customer-sensitive documents and information that now live on the employee’s laptop local drive.
- Because your IT team does not manage this laptop, any current viruses on the employee’s laptop are now exposed to your network.
Inside the Matrix, more problems arise for IT because of the employee-owned laptop:
- The employee’s system might not have the right storage, patches or updates and as a result, their laptop is running slow.
- The employee is frustrated and complains to the IT department, who now must troubleshoot a non-company laptop using company time, resources and dollars.
- There is no way for IT to guarantee they can delete the data from the laptop if it is lost or stolen.
- There is no way to know if data has been copied or files saved.
Checking email and downloading Dropbox files from that personal laptop just opened a host of new risks that could have been avoided.
Smartphones and tablets are not completely off the hook when it comes to data breaches. They allow employees to use network passwords to download information on apps like Dropbox and Box. If the employee uses a smart device to connect to their email and the email is deleted, the company contacts still remain on the smart device. Which raises a couple of red flags: In the event that the device is lost or stolen…
- How does your IT team delete Dropbox files that remain on the employee’s smartphone app?
- How does your IT team delete customer data and contacts that remain on the device?
IT has a solution, but it is often not a popular one. Remote wipes allow IT to remove all information and data remotely. This means it removes all data, including the employee’s pictures, contacts, and all personal information. Remote wipes may be necessary, but painful for the employee who lost months, maybe years of personal photos.
What are the 3 Steps should a small business take to establish BYOD control?
“Geez, you might be thinking. What a grim picture you have painted.”
True. But the good news is that there are preventative steps a business can take to avoid having to remote wipe.
3 Steps for Implementing an Employee-Friendly, Data-Safe BYOD Policy:
1. Create an Acceptable Use Policy.
An Acceptable Use Policy is a set of guidelines outlining an acceptable and non-acceptable use of personal devices on the network.
- To create this type of document, we recommend you sit down with your IT partners and think through the ramifications of the use of personal laptops and smart devices on the network.
- Determine under what conditions a personal laptop is acceptable and prohibited, and under what conditions a smartphone or tablet is acceptable and/or restricted.
We recommend that all employees and subcontractors be required to sign this agreement prior to employment. Having an employee sign before coming on-board pays big dividends for smooth employee exit policies down the road. Chances are you won’t have a problem, but in the case that parting is hostel, you are protected.
2. Have Each Employee Sign a Personal Liability Document
When it becomes necessary or beneficial for the employee to use their own device, the Personal Liability document establishes network use “standards” that assign responsibility and transfer liability to the employee when accessing the network. For example, this document could require employees to do any of the following:
- Agree to put a certain type of antivirus or operating system on their machine
- Agree not to download large files such videos or run vampire apps like Spotify that could cause the network to operate at sloth speed
- Agree not to watch pornography or access Facebook during working hours
- Agree to allow a remote wipe on their personal smartphone in the event that the phone is lost or stolen
Establishing a standard set of policies for accessing and using the network will keep your network running at peak performance and gives everyone on the team a clear understanding of their own responsibility as it relates to maintaining a secure and high performing environment.
3. Communicate the Benefits to Your Team
Last, but not least, communicate the benefits of your BYOD policy to your employees. Adoption of these policies will be better received if the policies are communicated clearly. Getting employees to sign Agreement Use Policies and Personal Liability documents ensure everyone is onboard and provides a layer of protection to the business.
What’s ahead for BYOD?
The demands on quicker internet, instant access to applications and tools, and remote access to the network will only continue to grow. Simple BYOD is being replaced by a broader set of mobile capabilities that enable the workforce of the future. According to Lifehacker and business tech author, David Laird, “BYOD is morphing into BYOx – a new trend that takes the focus away from the specific device employees are using. It’s not just a question of phones and tablets anymore. Content, wearables, and apps are all part of the BYOx spectrum. Moving forward, this will be the area that demands the most attention from a security perspective.”
Employees are bringing their own devices to work. Personal devices can compromise customer data. Valuable business information is being downloaded, dragged and dropped onto personal smartphones, tablets, and laptops. IT guidelines are difficult to enforce after the fact, and putting a policy in place upfront is your best defense against lost and stolen data due to personal device access on your network.
At MicroTech Systems, we- like you- leverage technology every day and rely on it to do our job. Our friendly support team is eager to assist and speaks in a language everyone understands. If you need help ensuring your data is secure with a BYOD policy in place, do not hesitate to pick-up the phone and connect. We are here to help. [Let’s Connect]