To accommodate the personal habits of an increasingly dispersed and mobile workforce, and to cut the cost of providing hardware to their employees, more and more businesses are turning to BYOD, or Bring Your Own Device schemes.
Why a Policy Matters
Allowing workers to use their personal phones, tablets, and phablets for official business throws up a number of operational and security issues. These need to be formally addressed in a clear statement. A BYOD policy sets out a company’s conditions for such a system to be put in place. In drawing one up, there are several aspects to consider.
This guide should help.
Define The Terms
You’ll first need to establish that BYOD is appropriate for your organisation. This means selling the idea – both to management, and the workforce. So, some degree of consultation is required.
Representatives from the user base, your IT division or support company, finance, security, and other stakeholders may contribute to an outline of your BYOD strategy. As it develops, internal reviews and feedback should be taken on board before a final draft is established.
Even after you settle on a BYOD policy, it should be open to modification, as attitudes within your industry change.
Acceptable Devices and Operating Systems
Your BYOD policy statement should specify which mobile devices, operating systems, and applications you will support.
Get feedback from your staff about the equipment and applications they currently use. Common threads may emerge, and assist in compiling a master list of devices. Certain apps may be flagged as essential, in enabling staff to do their jobs.
You should also state which devices you’ll issue or deploy in-house, and compile a list of hardware and software that won’t be acceptable, under your BYOD policy.
Roles and Boundaries
Establish a clear boundary
between business and personal. This should be reflected on the machines, with business apps stored in secure containers on workers’ devices.
Your BYOD scheme will typically include email facilities, scheduling, and contact lists. Make sure your people know that these are for office use only. And that work-related emails should never be forwarded on to their personal accounts.
Your IT department will also have rights to work-related apps, under the policy – particularly in safeguarding corporate security. This may extend to wiping apps and data from client devices remotely, and deleting business apps when employees leave your organisation.
Give guidelines on how users can back up and secure any personal data (photos, music, etc.) stored on their devices, in the event of a system wipe.
PINs and passwords should be mandatory on all devices. This means long passwords (14 characters is not uncommon), combining numbers, letters (small and caps), and symbols. Users should be required to change these passwords, at intervals you define in the policy statement.
You should clearly state the consequences of failed password attempts, and any penalties attached to violations of the password protocols.
Encourage employees to use a password manager such as Last Pass too, which can generate and store complex passwords.
Access and Authentication
To help your administrators quickly identify unauthorised users, each device should be authenticated and registered, before it connects to the network.
Create access control lists (ACLs), to specify which users are allowed access to which network assets, applications, and tools. And grant access to these resources only when the user has authenticated his/herself.
At your headquarters and branch offices, the policy may stipulate that workers gain network access and authentication via your WLAN. This will add a further layer of security to BYOD operations, reduce costs and speed data delivery, while improving device battery lives.
Instituting a virtual local area network or VLAN option will help separate BYOD devices from sensitive network resources that you may not wish them to gain access to.
Sensitive data stored on your employees devices should be protected by strong encryption – and your BYOD policy
should spell this out. Devices which don’t allow this encryption should be blocked from the network.
If a device as a whole can’t be encrypted, sensitive information on it should be confined to encrypted folders.
Keep Content Contained
Containment should extend to the way sensitive information is handled throughout your network. All data passing to and from mobile devices should first pass through a firewall, then an intrusion detection system (IDS) or intrusion prevention system (IPS).
Ensure that all BYOD devices are outfitted with a consistent set of antivirus, antimalware, and other security software. Your policy should set parameters for when and how these tools are to be upgraded or patched.
Ideally, you should specify a preferred set of apps which store data in the cloud, rather than on individual devices. Any corporate data that is stored on a device should be encrypted, and/or kept in an encrypted section of the device.
Co-ordinate with your IT division to draw up a strategy
for when things go wrong – as they inevitably will. Lost or stolen devices, software glitches, repairs, and maintenance; protocols for all of these should be set down.
Define the levels of support which IT will be expected to give for personal devices. Explain the workings of your Help Desk system, and its degree of availability.
If devices are to be lent to users while their own hardware is in for repairs, specify the approved makes and models. If systems are to be wiped and reconfigured, explain the measures in place for users to protect their data before this has to happen.
Staff turnover needs to be taken into account. When employees leave, their personal equipment goes with them. Your BYOD policy must ensure that none of your sensitive data, communications, or apps leave, too.
It’s common for BYOD devices to be wiped, prior to a worker’s departure. If this is the case, put in measures for employees to back up their personal applications and content, beforehand. Your policy should preserve your right to wipe data once an established deadline is reached.
Put it In Writing
All of the above should be set out in a formal BYOD policy document. Digital copies should be distributed to your workforce prior to commencement of the scheme, so they can study and understand the terms. A physical form should be drawn up, for them to sign, as an indicator of their consent. You may need to instigate penalties for those who refuse, such as denial of access to your network.
Your BYOD policy has legal implications, so appropriate counsel should be part of the drafting process. The text should include clauses for your organisation’s legal protection against claims for lost data, damaged equipment, etc. Review the document annually (at least), to reflect changes in your industry and the operating environment, generally.
Learn from Others
Studying the BYOD policies put in place by other organisations may help, in crafting yours. The TechRepublic website
has a page featuring BYOD policy templates from a diverse range of bodies. These can serve as a starting point for you.
BYOD is now firmly entrenched within many modern organisations. This does cause its own issues surrounding security, so ensure that you have your business covered with a sound policy which covers everything, including the use of shadow IT.