5 Steps to a Safe BYOD Policy
Simply leaving staff to log onto company networks with no controls presents the IT department with an impossible job and puts company data and customer privacy at risk.
However, a successful internal Bring Your Own Device (BYOD) policy over many years can be achieved. Here are some of the valuable considerations to take note of when taking steps to keep data safe and staff happy.
- What is included and what is not?
Think about the sheer range of consumer devices and applications on the market today. It is not sensible to allow all devices and all applications onto the network. You may initially limit BYOD to phones and tablets to ease the security burden and also restrict the applications available so no sensitive data is kept on the devices.
Decide exactly what staff will be able to do with their BYOD device. For example, limiting access on corporate networks to only email and calendar functions keeps the security risk low. But be warned: once the process has begun, over time, staff will want more access to corporate applications and sensitive data. BYOD strategy needs to be flexible so it can adapt with your users over time.
It is often sensible to have a few different policies for staff working in different roles but be careful of introducing too much complexity. This can be hard to manage and can even cause resentment towards IT.
- Who owns what data and applications and who is responsible for security and updates?
Staff must know how to keep their devices safe and secure. That means keeping operating systems and applications updated but also physical device security. Staff must avoid misplacing hardware and prevent unauthorised access to their BYOD laptop or BYOD tablet.
Encryption should be used where necessary, but more importantly, sensitive data should not be accessible by devices unless absolutely required. Make it clear that company data remains the property of the company even when it is on an individual’s BYOD phone or tablet.
- When should passwords and biometric controls be used?
It makes sense to apply the same security rules whether people are using their own device or a corporate machine. No one would expect access to a corporate desktop without a password. Likewise, BYOD mobile devices used for company applications should use strong passwords and/or biometric controls.
Think about layers of security: a thumbprint for simple access to phone calls and texts but a further password or other check for access to company emails. Also, security teams must be able to track devices remotely and wipe data in case of theft or loss.
Staff must also know that appropriate-use guidelines apply to any device using the corporate network, not just BYOD computers.
- How are the devices and applications supported?
Someone has to make sure all devices have updated and secured software. Making staff responsible will require training and integration into the audit process for assurance purposes.
Full mobile fleet management is one answer but might be overkill for many organizations where risks are low and data access is limited. But asking the IT department to support an almost unlimited list of devices is an unreasonable burden.
- What happens when a member of staff leaves the organization?