Still debating whether or not to allow employees to use their own smartphones and tablets for work? Many organizations realize they may not have a choice.
A recent survey conducted by HDI found that the primary motivating factor for adopting a formal BYOD program was employee demand. Employees are using their own devices at work with or without IT’s approval.
At first glance, this scenario seems like a security nightmare. The risks of unsecured mobile devices and unwitting or malicious users are heightened once they’ve crossed the perimeter of your network. However, with the right tools, companies can work BYOD to their advantage.
Tool #1: A written mobility policy
A written mobility policy is an absolute must to safeguard the company’s network and its data and prevent costs from spiraling out of control. It must clearly define the parameters of the program so that both the company and the employees benefit from the freedom of a BYOD work environment.
Besides listing which devices are allowed, here’s what a policy should include:
- Who gets to bring their own device? Is it open to all employees or a select few based on their job responsibilities?
- Who pays for it, the company or the employee? Or does the employee receive a monthly stipend?
- State that the company has a zero-tolerance policy for texting or emailing while driving, and that only hands-free talking while driving is permitted.
- Are devices with cameras and video-recording capabilities allowed on-site? (In some cases, it is possible to disable these features remotely.)
- When should the user call the company help desk for support and when should they call the device or service vendor?
- When it comes to keeping devices in compliance with network security policies, what is the employee’s responsibility and what is the IT department’s responsibility?
- What is the procedure for reporting lost or stolen devices? What will the company do to a lost or stolen device? Explain that locking or wiping the device remotely is a possibility and how their personal data can be protected.
- Provide a white list/black list of apps so that employees know what they can and cannot install on their devices.
- What is acceptable use at work vs. at home? For example, what websites are off limits while the user is at work?
- What are the consequences for not complying with the policy? One example might be that attempting to access the network with a jailbroken Apple device or rooted Android device will result in being denied access to the network and/or the user being excluded from the BYOD program.
Start by writing a basic policy. Then, expand it to address employees across the enterprise with varying job requirements. For example, employees who travel frequently will need to know how to connect on the road without racking up fees.
It is not enough to publish the policy and hand out copies to everyone. Conduct training sessions with employees to go over the policy in person and give them a chance to ask questions. Ask them to sign off on it.
Update the policy as new devices and apps become available and keep employees in the loop; awareness is the key to keeping users compliant.
Tool #2: Mobile Device Management (MDM) software
Before venturing too far down the path toward a major investment in MDM software, evaluate what can be done with the company’s existing tools, for example Network Access Control software, Active Directory, MS Exchange, WiFi or VPN. If MDM software is indeed warranted, consider the size and scope of the company’s mobile operations to figure out which application best suits organizational needs.
There are many options when it comes to MDM applications. The areas they cover include:
- Email management
- Document/content management
- Regulatory compliance regarding data and privacy
- Automated provisioning
- User self-enrollment
- Reporting capabilities, and
- Mobility expense management.
Other points you’ll want to investigate are:
- Can the application separate corporate data from personal data on the device?
- Can it remote lock/wipe only corporate data?
- How does it protect employees’ privacy?
- What encryption methods and protocols does it use?
Tool #3: IT Staff Training
IT managers must assess their staff’s knowledge of mobile devices during the planning process, as well as their familiarity with mobile device security. Get input from the support staff to find out:
- How familiar they are with the devices, operating systems, and platforms currently available
- If they can activate the security features of those devices
- If they know how to troubleshoot connectivity issues
- If they can identify apps that can provide secure data access on mobile devices
- If they can develop apps to provide secure data access if needed
- What knowledge gaps need to be filled, and
- If you need to hire additional staff.
As part of their training, buy a few of the devices they will support for them to play around with. Set up a test environment if possible (especially if the company purchased MDM software) and invite them to learn on their own devices as well. Some staff may need to learn how to say no to users and refer them to the policy or the device vendor.
A well-written mobility policy, appropriate MDM software and effective training can turn BYOD into a dream come true for companies looking to shield themselves from risk while giving employees the freedom they crave. Done right, both companies and employees can benefit from a BYOD program.