Just a few weeks ago, President Obama sent flutters through the hearts of IT managers everywhere when he finally explained why he still uses a BlackBerry rather than an iPhone or Android device: security. Oh, be still our beating hearts! Someone who actually listens to security recommendations!
There was a time not too long ago when this kind of statement would have been highly familiar to most American workers, as it fell to the IT department to choose what devices were most appropriate for a work setting, as well as what software they would run and what tech help they’d provide. But that’s pretty much gone out the window with the proliferation of smartphones. Employees now just expect to be able to use their own devices when they take a new job, and, if they can find away, they’ll keep on using their preferred device regardless of an employer’s policies.
That means one thing for employers: it’s time not just to allow BYOD but also to get on your BYOD business security before your employees — and malware and hackers and maybe even competitors — set your policy for you. Let’s take a look at a few ways you can set up a top notch BYOD program that balances both your needs and that of your employees.
1. Review Your Current Policies
First things first: you’ve got to know where you are before you attempt any changes (PDF). Start by taking a good look at your infrastructure, including your wireless LAN and your VPN, the applications you currently use to provide network access, your methods of data storage and access, your asset and network management procedures, and your bandwidth requirements. BYOD may create bottlenecks, so look in particular for places where this may happen, and ensure that you’ve got the bandwidth you need. You’ll also need to have a clear sense of how you’ll need to build the infrastructure out to deal with authorizing and registering so many employees on the network. This is a good time for an overall security evaluation too, as you’ll want to get ahead of any current vulnerabilities as you account for new ones.
2. Establish Acceptable Uses
One of the trickiest things about BYOD is that you’re mixing up people’s personal and business lives. While you don’t want to set a policy that’s too invasive, it’s reasonable to expect employees not to access illicit material on their phones and to save the social networking for after work hours. Even more important, you should make employees aware of any security threats as detailed above, particularly when user activity can lead to the leaking of information to competitors. The manner and approach of an employee’s interactions with his or her phone should be expressly determined in an acceptable use policy that leaves no room for misinterpretation.
3. Separate Work From Play
To ease this process, you might want to consider making separate profiles for personal and business use. You’ll of course still need your employees to follow standard security procedures to avoid compromising the overall health of the device, but partitioning the phone will at least help control employee behavior at work while allowing them more freedom and privacy on their own time. It also can make the user experience more fluid, as one profile can keep all of the work-related apps while the other can be more social.
4. Provide a List of Recommended Platforms
By definition, BYOD means letting employees choose the devices on which they work. However, that doesn’t mean that you have to allow every kind of platform or model. Simply restricting to Android, iPhone and BlackBerry still provides a wealth of popular choices. Make sure you also determine which versions are acceptable from both an access and a security standpoint as well.
5. Make it Clear Who Pays for What
Again, BYOD can be tricky from a reimbursement standpoint, as it can be difficult to sort out work from play. Will you cover a percentage of the carrier costs, especially data charges, to cover work time? Will you provide any kind of tech support, or will this stretch your busy IT department too thin? Get this sorted ahead of time so there are no surprises or arguments later on.
6. Decide Which Apps to White and Blacklist
One place where employers can still really have tight control is with apps. White and blacklisting apps can be highly effective way to maintain the integrity of your data and network as well as ensure productivity, as you can ban insecure or simply distracting apps while relying on thoroughly vetted apps or even those designed specifically for you to do more of the heavy lifting. Whitelisted apps should include not just those on which employees will be doing the most work but also antivirus apps. You should also make adjustments to any other firewall and software settings as needed.
7. Manage Network Access
Whether you’ll be working through VPNs or the cloud, it’s important to go through your organization and determine just who will need access to what, set guidelines for how that designation will be made in the future, and give passcode-making and sharing capabilities to key team leads. This may vary depending on where the employee is based (i.e. the office, home or the road). You’ll need to know the difference between an employee who needs email access from home versus one that needs in-depth access to a private corporate store of data. It’s also important to consider how you’ll keep all of that information secure as it’s accessed over the network.
Often encryption and authentication are a good approach, but keep in mind there’s a limit to how many characters employees are willing to enter on their tiny phone keyboards before they turn the security software off altogether. Always try to balance security and convenience.
8. Set Procedures for Lost Devices
If an employee quits the company or is fired, safeguarding company data has always been a security concern, even when devices are company issued. This is all the more so if they leave suddenly and on negative terms. Accordingly, it’s of the utmost importance that companies with BYOD policies have a means for remotely wiping work data (which, again, is much easier if you give employees separate work and play profiles). While it’s still probably more ideal to have employees bring the device in, this will at least provide some safeguards in these cases, as well as when a device is lost or stolen.
9. Educate Employees
The majority of BYOD security concerns stem from employees who simply don’t know better. As such, it’s important to give them a briefing of your BYOD policy, providing clear reasons showing why you’ve got it in place so they don’t think it’s just some stupid corporate policy they’ve got every right to try to get around. Along similar lines, it’s important to actually enforce those policies, following up with those who break the rules to reiterate them.
10. Have a Written Agreement
Last but certainly not least, it’s crucial that your BYOD policy be not only explained but written and signed as well so that there’s something solid to refer back to and some accountability. This is especially important for many younger employees, who tend to be more comfortable sharing personal details — a mentality that can spell disaster if they apply that degree of openness to company secrets.
The Takeaway
Like it or not, BYOD is here to stay. To fully take advantage of the flexibility they offer, it’s important to have security policies in place that keep your business and your clients safe. So start evaluating, start implementing, and always keep security in mind.