Photo by Hillary Ehlen
As the imperative to protect sensitive company data gains importance, the phenomenon of employees using their own personal devices at work has paradoxically increased. Employees using their own device at work can range from adding a work email account to iOS Mail to them bringing their own laptop and cell phone to work and spending their entire day working on them.
Bring your own device (BYOD) has advantages such as increased employee satisfaction and productivity, but it’s also a data-security liability when there’s not a company strategy to manage that risk. Continuing last month’s theme of protecting company data, there are several steps you can take to protect company data while allowing (or just accepting the inevitable of) employees to bring their own device.
Step No. 1: You need a policy.
Now, you may be reading this and dismissing the idea of allowing employees to use their personal devices for work, but to be honest, unless you have completely locked down your IT environment, your employees are already accessing company data from their personal devices anyway. Heck, the IT guy was probably the first person to add his email account to his phone! BYOD is not something that will go away by ignoring it.
A BYOD policy sets the ground rules for employees and turns your overall strategy into something tangible. Even if you plan to severely limit employee access to company data on personal devices, it’s important to communicate that policy to both IT and end-users. You should also include instructions and contact information in the event that a device is lost or stolen.
This is also a good time to set acceptable-use policies to define business use of personal devices and personal use of devices, as well as what is acceptable personal use of devices (if any) such as social media and other apps.
Step No. 2: A good BYOD strategy and overall security go hand-in-hand.
Your BYOD strategy should augment your overall data protection strategy:
- Enforce the use of lock screens to ensure that, if a device is lost or stolen, company data will be safe. This also enhances the security of call- and text-based multifactor authentication.
- Leverage server-based email-transport rules that will automatically encrypt messages that contain sensitive data or block email that appears to be improperly sharing company data.
- Encrypt data at rest, and deploy tools to enforce rights management so that company data is only available to users who should have access, both on company and personal devices.
- Ensure that company data is only available to apps which you have determined to be secure. It’s one thing to allow employees to bring their own iPhone or Android device and a completely different story when it comes to allowing employees to pick which email client they’ll use.
- Make sure that personal devices with company data have the latest updates to ensure that your data is less vulnerable to known exploits.
Step No. 3: Determine the best tools for your company.
Without the right tools to implement your BYOD policy, it’s essentially just run on the honor system. For full implementation of your BYOD policy and ensure compliance, you will need additional tools.
There’s a plethora of solutions on the market that allow you to protect your company data on personal devices. With mobile-device management, you can secure access to the company network via WiFi. And with mobile-app management, you can control which apps are allowed to access company data and set policies for how that data can be used. For example, you can limit company email to the Outlook Mobile app and prevent attachments from being saved to the personal device and even prevent copying and pasting of text.
In the worst case scenario, you can remotely wipe company data from a lost or stolen device.
Some Popular MDM Options
- Citrix XenMobile
- IBM MaaS360
- Microsoft Intune
- VMWare AirWatch
Step No. 4: Plan for employee exit.
With company-owned devices, employees can simply turn in their device before leaving, but in a BYOD scenario, the process is more complicated. So plan ahead.
Even if you disable that employee’s email and file-sharing accounts, there may still be local copies of the data on the device, so when you are selecting an MDM solution, look for one that compartmentalizes company data and allows you to selectively wipe that data without touching any personal data.
Bring Your Own Device (BYOD)
A policy of permitting employees to bring personally owned devices to the workplace and use those devices to access privileged company information and applications
Enterprise Mobility Management (EMM)
The set of people, processes and technology focused on managing mobile devices, wireless networks and other mobile computing services in a business context
Mobile Device Management (MDM)
Industry term for the administration of mobile devices such as smartphones, tablet computers, laptops and desktop computers
Mobile App Management (MAM)
Software and services responsible for controlling access to internally developed and commercially available mobile apps used in business settings