Endpoint

4/10/2018
02:30 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Pairing Policy & Technology: BYOD That Works for Your Enterprise

An intelligent security policy coupled with the right technology can set you up for success with BYOD.

By 2020, 90% of global enterprises will have implemented business processes that depend on a mobile device, according to Gartner. From both a security and a compliance perspective, this makes data governance more difficult. The bring-your-own-device (BYOD) trend is not about the mingling of corporate and personal devices, operating systems, and data for the convenience of employees; it's a true business benefit that can be achieved only when policy and technology work together.

Strong Policies Reduce Risks
It's critical to establish strict policies and a clear BYOD strategy to ensure that sensitive corporate assets aren't carried away on workers' personal devices and that the risks of BYOD don't outweigh the rewards. Embracing BYOD — and having a strong plan that considers internal policy and technology — can help your organization take advantage of the trend's benefits while reducing the dangers of shadow IT and related issues.

To take steps toward a strong BYOD plan, IT leadership should consider the cultural aspects of the organization, costs, regulatory issues, and associated risks to effectively expand mobility across the enterprise. Further, it's important to establish and communicate, across the organization, guidelines or restrictions specifying which devices are authorized for use within the corporate infrastructure, and clearly defined business-use policies regarding ownership, reimbursement, security, support, and other expectations.

Consider these practices to ensure that policy and technology are working in unison:

1. Determine Approved Devices
Which devices are fair game for your BYOD policy? Your short list of approved devices should include the popular, enterprise-ready devices in common use. You may choose to approve specific devices, or specific operating systems, if they meet your baseline security requirements. Make your decisions based on the manageability of the OS and your application strategy. If you belong to a multinational organization, remember that devices vary from country to country.

2. Define Reimbursement Rules
The perception that a BYOD strategy will save you money by passing on the cost of hardware, and even monthly service, to the user is incorrect. There are many more cost-related items to consider when defining reimbursement rules. Some items to include in your BYOD policy are:

  • Device costs, including repairs, replacement, and insurance
  • Payment of voice and data plans, including roaming charges when an employee travels
  • Accessories and support

3. Specify Ownership Rights
Data is more important than ever, and a BYOD policy may test the effectiveness of your enterprise data management initiatives. Your policies should make clear that ownership of all corporate data on the devices and the applications your workers use in support of their role at your organization are your intellectual property. Allowing access to corporate data on personal devices means that your organization will be exposed to privacy laws, which vary significantly around the world, and are intended to protect the employee. Countries in the European Union have the most restrictive privacy laws and regulations, and as such, require more due diligence before rolling out a BYOD initiative.

4. Set Security Stance
Security postures cover both the physical security of a device and the data on it. Security policies should extend to cover jailbroken or rooted devices, malware, and lost or stolen devices. In the case of lost or stolen devices, companies must determine whether they would wipe only corporate data or all data on the device. Other tricky decisions, like whether to enable GPS tracking on devices, must be carefully considered. While this might assist in the recovery of a lost or stolen device, it may give employees an uneasy feeling and/or violate privacy regulations. 

5. Communicate Clear Expectations
Success or failure of any change management initiative relies on proper communication. Employees must understand the boundaries of the BYOD policy and the security measures necessary to keep corporate data safe. HR and IT must act jointly to communicate employee roles and responsibilities. This includes program onboarding and additional training at least once a year to reinforce or update your policy. Periodic changes to your organization's policy should be expected. It's imperative that employees are notified of any new policy changes and that they're educated about the impact of those changes on how they use their devices for company business.

6. Establish Support Structure
You should establish clear guidelines about who is responsible for device and application troubleshooting as well as maintenance. Is your users' corporate mail client crashing? If it's an enterprise application, then your IT department probably will need to provide support to correct the problem. Did a user drop his or her laptop in the pool? Your IT department may need to provide a loaner unit to ensure business continuity. A proper support structure will ensure that devices are properly maintained and that your business is not negatively affected by a missing or damaged device. 

7. Develop Decommissioning Strategy
Because a device is personally owned, it will not be returned to the company when the employee leaves. Therefore, you must have an established policy for decommissioning employee devices. Before a user is allowed to conduct company business using his or her personal device(s), this policy must be clear to the device owner and strictly enforced to ensure the security of your corporate data. When developing your decommissioning strategy, consider what you want to do with the data contained on the device when the user leaves your organization. Determine who within your organization should get the data before you decommission the device. Do you want to save a copy of the data to a thumb drive, other storage device on your network, or in the cloud? Determine if the device will be selectively wiped of corporate-only data, or in the case of termination, wiped of all data. No one wants to have his or her device wiped of personal data when expecting only corporate data to be removed.

The benefits of BYOD to businesses and employees are many. To set up your organization for success with BYOD, now is the time to ensure that your policies and technology work in harmony so that BYOD works for all. 

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Peter Merkulov serves as Chief Technology Officer at Globalscape. He is responsible for leading product strategy, product management, product marketing, technology alliances, engineering, and quality assurance teams. Merkulov has more than 16 years of experience in the IT ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Who Takes Responsibility for Cyberattacks in the Cloud?
Kelly Sheridan, Staff Editor, Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: On the SS7 network, nobody knows you're a dog.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18812
PUBLISHED: 2019-01-16
The Spotfire Library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability that might theoretically fail to restrict users with read-only access from modifying files stored in the Spotfire Library, only when the S...
CVE-2018-18813
PUBLISHED: 2019-01-16
The Spotfire web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains multiple vulnerabilities that may allow persistent and reflected cross-site scripting attacks. Affected releases are TIBCO Software Inc. TIBCO Spotfire...
CVE-2018-18814
PUBLISHED: 2019-01-16
The TIBCO Spotfire authentication component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability in the handling of the authentication that theoretically may allow an attacker to gain full access to a target account, indep...
CVE-2018-5740
PUBLISHED: 2019-01-16
"deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is i...
CVE-2018-5741
PUBLISHED: 2019-01-16
To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update ...