It’s an understatement to say that the bring-your-own-device (BYOD) culture is gaining traction: already, 95% of firms allow it to some degree, and it’s a must-have working condition for many prospective employees.
Arguably, BYOD is the model to follow: it offers employees increased freedom of movement and, in some cases, 24/7 control over when they work; in return, businesses benefit from increased productivity through employee satisfaction, as well as capital savings on equipment.
The BYOD security challenge
Typical BYOD usage allows access to corporate networks to reach email accounts, calendars and other internal portals. The devices themselves may contain client contact lists, messages, call logs and data files. This poses a risk to the business if the device is hacked, is lost, or simply falls into the wrong hands.
The owner-user premise behind BYOD means the devices can’t be managed like company-issued ones as they contain personal apps and data.
This presents a challenge to traditional mobile device management procedures, which can get away with wholesale remote wiping in the event of device loss or termination of employees.
As a result, the focus of BYOD security management has shifted from being device-centric to data-centric.
How to Protect Business Data
Business owners can mitigate specific BYOD risks by addressing five critical areas:
1. Security policies and training
- Draw up a formal BYOD policy with input from users, management, IT, HR and Legal teams. Decide what data can be accessed and by whom. Users also need to be reassured about privacy of personal data.
- Communicate the policy to all employees and specify how the rules will be enforced.
- Educate users about recognising common vectors of attack, like phishing emails, fake websites and unsafe browsers.
2. Device setup and maintenance
- Keep the corporate footprint separate from the personal one: set up so-called ‘sandboxes’ on the device to house corporate apps and data.
- Help users optimise their access control and app permission settings.
- Owners should keep their software up to date: known errors in operating systems, browsers and apps provide holes through which hackers can gain access to data and networks.
- Enforce the use of passcodes, unique to each device. If the device is stolen it won’t be easily accessed.
- Implement drive encryption on the devices so that, if stolen, the data can’t be read. In addition, issue staff with encrypted flash drives: their loss (along with any company data) is unlikely to be reported.
- In the event of loss, or when employees have been terminated, invoke remote track and wipe functions. If company data has been containerised in sandboxes, any personal data will not be affected.
- As a rule, employees should not use unsecured networks. That said, they can be used if you have set up a virtual private network (VPN) for company use, as this means the network traffic is encrypted and safe from eavesdropping.
- VPN is also the ideal solution for employees who work from home. The alternative is to make sure such employees use a password-protected router and change the default admin username and password.
- The permitted degree of access to the business network should be appropriate to the user’s department, rank and role. This reduces the degree of exposure in the event of a data breach after hacking or loss of device.
- Ensure that users set up strong passwords to access any business systems. Strong means long (15+ characters), complex (a mix of upper and lower case letters, numbers and symbols), and unique to each account. These can be tested using password strength meters. A password manager lets employees securely access company networks without them having to remember the details, or expose the company to risk by emailing passwords to themselves.
There are two very different sides to the BYOD coin: one side offers users increased freedom and job satisfaction, which translates to increased productivity; the other side presents a company with loss of control over the operating environment, which means a heightened security risk.
Users are becoming more demanding about BYOD freedoms, but they need to work side by side with business owners to share responsibility for protecting critical business data. Win-win solutions have always required a balancing act, and the BYOD coin is no different.
Download your Free Guide