The rise of the bring your own device (BYOD) movement is inevitable, and Gartner predicts that 2017 should see half of the world’s employers implementing a BYOD policy. As BYOD and mobility grow in the workplace, so do security challenges, privacy risks, and employee demands. Managing a corporate BYOD program is a complex balancing task that involves protecting company interests and satisfying employee needs without compromising productivity.
Employee Pressure May Compromise Productivity
Employees are stressed about limitations on the type of device they can use, controlled access to data they can work on, incurring added charges on Wi-Fi outside the workplace, and privacy issues. In a recent survey conducted by Information Solutions Group for Syntonic, a company that offers mobile content solutions, 50% of employees revealed that restrictions on their smart devices reduce productivity.
Workers want to use devices they are comfortable with, and these are often their personal devices. Using familiar devices helps workers improve their satisfaction levels, leading to greater productivity. For instance, Cisco noted a 33% increase in employee satisfaction when the company allowed its employees to use their personal smartphones and iPads.
However, employees who experience limitations on the type of device they want to use and controlled access to the corporate network are prevented from efficiently executing their tasks.
Reimbursement is another testy issue where employers and employees often have different views. When employees use their own devices, they naturally purchase them at their personal expense, including the Wi-Fi plans. While a few states have incorporated BYOD reimbursement in their labor laws, it doesn’t seem to be the norm.
Privacy is yet another concern for employees. They don’t like their favorite apps blocked or invaded with intrusive mobile device management (MDM) systems.
Striking a Balance Between Corporate Interests and Employee Needs
It is time for employers to review, revise, or craft a definitive BYOD strategy that satisfies both corporate interests and employee needs.
Rob Tiffany, a mobile strategist at Microsoft, recommends that employers let employees know what devices and operating systems meet the requirements of their BYOD policies. BYOD doesn’t mean workers can use any device they want. It should be made clear to them that the devices they use must be compliant with the company’s network and security requirements.
A secure BYOD policy underscores the importance of managing sensitive data throughout its entire lifecycle — from creation to transfer to storage to removal. Password protection, remote wipe, data, device encryption, and data removal at device disposal or employee separation are basic risk control measures for securing mobile devices.
An MDM system is an additional line of defense for mitigating mobile security risks. However, user privacy becomes an issue if no mechanism is put in place for separating personal from corporate content. The policy should, thus, describe privacy protections and exceptions, apps that are allowed or banned, and specific user activities that are prohibited.
An alternative to restrictive MDM systems is the use of a virtual infrastructure where all data is stored on a third-party server. Nothing is left on the devices after users end the sessions and log out from the system.
The BYOD policy should also address financial concerns. It should outline who pays for devices, carrier plans, Wi-Fi charges, roaming costs, and other related expenses.
Crafting Your BYOD Policy
The bring your own device (BYOD) movement is a force that is engulfing the corporate world. As the steam for its adoption builds, both enterprises and small businesses must prepare for an increasingly mobile workforce that wants to work anywhere and anytime, without sacrificing security. A BYOD policy can save your business money, give employees flexibility in the way they work, and promote greater job satisfaction. However, the security risks associated with allowing employees to use their personal devices need to be addressed. Given effective policies and good management, BYOD can comply with almost any company’s security requirements.
When convenience clashes with security, network security is paramount. However, a well-written and strictly implemented BYOD policy can strike a good balance between the two. IT policy planners need to get answers to critical questions to address both employee needs and security concerns, now and in the future.
What devices are allowed?
The policy should clearly identify devices and operating systems the network can support and, thus, are allowed. Specific brands, breeds, series, models, and other type categories need to be named to preclude items with known vulnerabilities.
Equally important is a provision on what devices are not allowed. For instance, rooted or jailbroken devices are considered security-compromised as they are prone to viruses, malware, and hacking. Devices with outdated operating systems and patches are likewise not allowed because of their high vulnerability levels. Devices bought from manufacturers with generic security policies can also be a threat to the network. They should not be permitted in a BYOD program unless the devices are configured to meet the security requirements of the network support matrix.
What applications are allowed?
Companies should decide what applications can be included in their BYOD program depending on their specific security requirements. However, there is a growing concern over what applications employees can download to their devices that have access to corporate resources.
Social media browsing and email applications are common web activities that can expose mobile devices to vulnerabilities. Hypothetically, the new application of a major social media site may have a security hole that allows spammers access to the mobile device used by an employee. The spamming can then spread across the enterprise network. To prevent the downloading of questionable applications, the policy should include a list of applications that are not allowed, and mitigate risks by:
- Installing anti-virus programs on mobile devices
- Embedding security into mobile application development
- Managing applications both through an in-house system and a tested mobile application management solution
Is security tight enough?
Security is at the center of any BYOD policy. Risks relating to mobile device security are often caused by lost and stolen devices, increased data access, and a lack of user security awareness. In a BYOD environment, the risk is accentuated when companies fail to set minimum security requirements or instill user security awareness. Securing employees’ devices should be a work in progress that includes:
- Evaluating and monitoring device usage and access
- Enforcing standard security policies like encryption, passwords, and remote wiping of compromised devices
- Certifying hardware, operating systems, and applications
- Implementing layered access to protect critical data and applications
BYOD is not a simple IT initiative. It requires the analysis of key factors related to security policies, delivery models, and support structure to define a successful BYOD strategy. If you’re looking to implement your own BYOD program, contact us at BlackPoint IT Services for a no-commitment consultation.