Reviewing your BYOD Policy

Many organizations already have a BYOD (Bring your own device) policy for mobile devices and allow employees to use their own devices — mostly smartphones — with certain restrictions. However, the current pandemic has forced companies to ramp up their work from home initiatives. In some cases, companies did not have BYOD or remote work policies before the pandemic. Implementing a BYOD policy comes with a lot of security concerns, adding to the increased risk of cyberattacks already brought on by remote work. To avoid a costly data breach, your organization must use caution while executing a BYOD strategy.

After several weeks and months, parts of the globe are beginning to open; now is the time to review and evaluate their BYOD policies. With the possibility of multiple COVID-19 waves in the future and the changing workforce from the pandemic, a proper BYOD policy is more important than ever.

What BYOD?

BYOD refers to the trend of employees using personal devices to connect to their organizational networks and access work-related systems and potentially sensitive or confidential data. Personal devices could include smartphones, personal computers, tablets, or USB drives.

As more and more organizations support employees working from home, maintaining a flexible schedule, or connecting on the go while on work travel or commutes, BYOD solutions have become more prevalent. Some companies may sanction BYOD, while others may consider it part of “shadow IT,” which refers to software or hardware not supported by IT.

What are the potential BYOD risks?

Any employee-owned devices that are not sanctioned by the employer are known as shadow IT, and these pose a security threat to the organization. Devices not visible to stakeholders cannot be monitored nor protected from malicious actors. Therefore, a robust BYOD policy will identify which personal devices may be used for work as well as when employees should rely on company-owned assets.

Another risk of BYOD is the fact that employees will bring their devices with them everywhere. While it’s unlikely people will carry their work laptop with them on a night out, they will bring their smartphone. This increases the risk that a device with company data could be lost or stolen.

All of these concerns can be prevented and planned for, but it requires the employer to take precautionary steps ahead of time. The corporate policy should outline contingency plans for reducing risk and reacting to security breaches as they occur. Making it clear to employees of their responsibilities will help them understand how to leverage their devices for business purposes.

BYOD policy is best implemented when company stakeholders understand the pain point they are addressing. Stakeholders should build a strategy around the problem, then work with employees to implement the solution in a mutually beneficial manner.

What to include in a BYOD Policy?

You want to protect your data, but you also need to be aware of employee rights. All of this makes creating a BYOD policy difficult. Work devices are in your control, but employee devices may not be. To protect your information as well as your organization, you need to maintain a policy detailing employee device use and ensure employees understand their responsibilities. The following are topics covered in BYOD policies, so you can make decisions that most directly apply to your business and working style.

Security

If your employees are accessing your networks, then you have the right and obligation to detail your security requirements. If you do not discuss this with employees, then they may not know the risks their devices pose.

To ensure security over personal devices, you should determine which of the following you want to apply to your organization:

• Password protecting devices according to the device’s abilities.
• Requiring a strong password for the device if it accesses the network
• Automatic device lock requirements.
• Number of failed login attempts before the device locks and needs IT to reset access.
• Forbidding employees from using devices that bypass manufacturer settings (i.e., jailbroken or rooted devices).
• Preventing downloading or installing applications, not on the “allowed” list.
• Preventing devices not listed in the policy from accessing the network.
• Preventing Employee-owned “personal use only” devices from connecting to the network.
• Restricting employee access to company data based on the user profiles your IT department defines.
• When you can remotely wipe the device, including but not limited to when the device is lost when the employment relationship ends, and when IT detects a data breach, policy breach, virus, or another security risk to your data environment.

Acceptable Use

Integrate Your BYOD Plan With Your Acceptable Use Policy. Defining “Acceptable Use” for your employees is the first step to creating an effective BYOD policy. Employees need to know precisely how they can use their devices in the office.

Devices and Support

Your employees may either be using devices you own or the devices they own. While you can’t control the tools that your employees purchase, you can control what they bring into the office. Older devices, for example, may not have the most updated operating systems and thus open you to a security risk.

Reimbursement

Having a BYOD policy also requires you to think through the implications of reimbursement, even though it is not a security issue. If you require employees to work from home or require specific devices, you also need to let them know how much financial support you are going to offer them.

Mobile Device Management and BYOD

MDM (mobile device management) adds another layer of security to BYOD by separating your business’s data from the employee’s personal data during device usage. IT manages, encrypts, and monitors the company side of BYOD through EMM (enterprise mobility management), a set of tools and processes put in place by the company. Should a device be stolen or lost, or should the employee be terminated by the company, business data can be wiped without affecting personal data, as well as further protecting business data from third-party intrusion. As BYOD evolves and becomes more commonplace, MDM is becoming more essential to the company, and employee, security. Check out our blog post from 2019 for more details.

Conclusions

A BYOD policy for the coronavirus pandemic should still include what devices IT can support, what apps are available to remote users, what collaboration tools are available to the users and what access restrictions are necessary. These restrictions could include VPN connections, downloads of sensitive data and which apps IT supports.

IT pros can’t simply assume that employees will implement all these measures on their own. Asking users to implement security measures will put the organizations at a major risk for security breaches and malware attacks. IT needs to deploy all aspects of the UEM and security controls to ensure they work properly. Many smaller organizations are at risk of going out of business after just one data breach.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Want to learn more?