Think your BYOD policy is really secure? You’d better read this now

Editor’s note: In response to the coronavirus crisis gripping the world, TechGenix is republishing a selection of recent articles, tutorials, and product reviews with relevant information for IT pros as their jobs change dramatically. In this article, originally published Dec. 10, 2018, we look at “bring your own device” policies, an issue many companies must immediately tackle with so many employees working from their homes.

Several years after the idea of enterprise mobility cropped up on the enterprise scene, “bring your own device” (BYOD) hardly retains any of the volatility that characterized its early reputation. The BYOD idea has witnessed tremendous adoption; that’s primarily because business leaders know there’s no other way. Employees are used to staying connected to systems via technology, even while they’re on the move, and hence, find it intuitive enough to let BYOD become a part of the way of life at their organizations. However, BYOD brings with it a major change to the business as well as its IT operations. That’s why experts suggest that enterprises must put in place a robust and comprehensive BYOD policy. A weak and superficial policy, on the other hand, could bring the whole BYOD program down. This guide will help you evaluate the strength and effectiveness of your organization’s BYOD policy.

Does your BYOD policy clarify what kinds of devices are allowed?

BYOD policy
Freerange Stock

Sounds obvious, but a surprisingly large number of organizations falter here. Probably there are way too many kinds of devices these days — smartphones, phablets, tablets, hybrid laptops, smartwatch, and whatnot. Your BYOD policy must be comprehensive, clearly specifying as to which devices are allowed inside the office premises, which ones can be used for what kind of business purpose, and which ones can be used to perform work remotely. If your BYOD program only covers a specific operating system (example, only iOS), this knocks many devices out of scope. The key takeaway — whatever the kind of device, the BYOD policy should answer the “may I use this for X purpose?” question in a “yes” or “no.”

The art of preventing accidental data leaks

It’s true — many of the tech tasks performed by your employees are inherently insecure. Consider the basic act of downloading an application from a mobile OS app store. These apps could easily expose the device data to malicious elements on the web. And with apps, it’s common enough for even the users to lose track of what they have on their devices. To evaluate whether your company’s BYOD policy offers protection against these accidents waiting to happen, consider these points:

  • The policy must provide for the use of mobile device management (MDM) and endpoint security solutions (ESS) technologies for effective management.
  • Outline the practices, rights, and authorizations of the network monitoring team in terms of their right to know how the device is being used in the office.
  • Laying out rules to keep the devices safe from threats resulting because of public WiFi connections (such as airports, cafes, etc.).
  • The policy must also highlight best practices in terms of the use of VPNs (personal or company-provided) to access business data and apps.
  • Also, your BYOD policy is expected to help users understand whether they can perform operations such as document uploads and downloads on a home network

Deep control over data

BYOD Policy
BYOD’s promise of unprecedented flexibility in the workplace is exciting for companies, but the excitement doesn’t come at the cost of control. For employees who wish to benefit from the BYOD policy’s allowances, they must also be willing to understand that the company IT will need to exercise control (to a certain degree) to keep things secure and safe. Here are some of the key aspects:

  • Outline the steps to be taken by an employee to report the theft or loss of a device that was a part of the BYOD program.
  • Lay out a mechanism to be used by IT to wipe off data (all emails, contact lists, files, and folders) from such devices using remote control via the Internet.
  • Clarify the mechanism of taking employee authorization to delete all contents of a lost device (including personal pictures, paid apps, personal files, etc.).
  • Establish the rules for devices that users must follow, about the use of passwords, the practice of keeping files, and account logins only until they’re needed.
  • Establish guidelines for IT to explain the minimum acceptable level of encryption.

Service policy for BYOD devices

When employees use their personal devices for office work, the stress on the end user-IT relationship surges, at least for the initial phase. It’s crucial that the BYOD policy communicates the right direction to all groups. Some key points to ponder over, and ensure they’re covered in the BYOD policy are:

  • The level of support offered by IT for the initial connection of a BYOD program device to the company’s network.
  • The level of support IT can offer for common device troubleshooting and device breakdown.
  • The process of evaluation of whether the device needs additional security software (antiviruses, anti-malware, etc.).
  • How to address questions erupting when a user’s personal device application is deemed unsafe/insecure/risky by the organization’s IT.
  • Is the company prepared to offer replacement devices until the time internal IT resolves hardware problems?

A policy that empowers the IT department to confidently address all challenging end-user queries and concerns on these aspects is a must for successful BYOD.

Provide a framework to evaluate the security of apps

BYOD Policy
Freerange Stock

How do you decide whether to allow an app to be run on a device registered under BYOD? The BYOD policy has the most important role to play here because it can offer an outline of the evaluation process for IT. This is arguably the most challenging aspect of BYOD, particularly for organizations that are still finding their feet with the idea.

Of course, the policy can’t explain the company’s stance by naming specific whitelisted or blacklisted apps. It, instead, intends to clearly outline acceptable and unacceptable attributes that IT can identify within an app, and make a decision accordingly. Blocking downloads of copyright-infringing content, monitoring an app’s requests for access to the image gallery, device storage, contacts list, and reevaluating the suitability of whitelisted apps after they undergo updates — that’s crucial for safe and secure BYOD programs.

A living, changing document

Above all, note that a BYOD policy has to be a living document, such that it reflects the realities of the dynamic hardware and software world. Lay down a strong base and build on it.

Featured image: Shutterstock

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top