Endpoint

4/10/2018
02:30 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Pairing Policy & Technology: BYOD That Works for Your Enterprise

An intelligent security policy coupled with the right technology can set you up for success with BYOD.

By 2020, 90% of global enterprises will have implemented business processes that depend on a mobile device, according to Gartner. From both a security and a compliance perspective, this makes data governance more difficult. The bring-your-own-device (BYOD) trend is not about the mingling of corporate and personal devices, operating systems, and data for the convenience of employees; it's a true business benefit that can be achieved only when policy and technology work together.

Strong Policies Reduce Risks
It's critical to establish strict policies and a clear BYOD strategy to ensure that sensitive corporate assets aren't carried away on workers' personal devices and that the risks of BYOD don't outweigh the rewards. Embracing BYOD — and having a strong plan that considers internal policy and technology — can help your organization take advantage of the trend's benefits while reducing the dangers of shadow IT and related issues.

To take steps toward a strong BYOD plan, IT leadership should consider the cultural aspects of the organization, costs, regulatory issues, and associated risks to effectively expand mobility across the enterprise. Further, it's important to establish and communicate, across the organization, guidelines or restrictions specifying which devices are authorized for use within the corporate infrastructure, and clearly defined business-use policies regarding ownership, reimbursement, security, support, and other expectations.

Consider these practices to ensure that policy and technology are working in unison:

1. Determine Approved Devices
Which devices are fair game for your BYOD policy? Your short list of approved devices should include the popular, enterprise-ready devices in common use. You may choose to approve specific devices, or specific operating systems, if they meet your baseline security requirements. Make your decisions based on the manageability of the OS and your application strategy. If you belong to a multinational organization, remember that devices vary from country to country.

2. Define Reimbursement Rules
The perception that a BYOD strategy will save you money by passing on the cost of hardware, and even monthly service, to the user is incorrect. There are many more cost-related items to consider when defining reimbursement rules. Some items to include in your BYOD policy are:

  • Device costs, including repairs, replacement, and insurance
  • Payment of voice and data plans, including roaming charges when an employee travels
  • Accessories and support

3. Specify Ownership Rights
Data is more important than ever, and a BYOD policy may test the effectiveness of your enterprise data management initiatives. Your policies should make clear that ownership of all corporate data on the devices and the applications your workers use in support of their role at your organization are your intellectual property. Allowing access to corporate data on personal devices means that your organization will be exposed to privacy laws, which vary significantly around the world, and are intended to protect the employee. Countries in the European Union have the most restrictive privacy laws and regulations, and as such, require more due diligence before rolling out a BYOD initiative.

4. Set Security Stance
Security postures cover both the physical security of a device and the data on it. Security policies should extend to cover jailbroken or rooted devices, malware, and lost or stolen devices. In the case of lost or stolen devices, companies must determine whether they would wipe only corporate data or all data on the device. Other tricky decisions, like whether to enable GPS tracking on devices, must be carefully considered. While this might assist in the recovery of a lost or stolen device, it may give employees an uneasy feeling and/or violate privacy regulations. 

5. Communicate Clear Expectations
Success or failure of any change management initiative relies on proper communication. Employees must understand the boundaries of the BYOD policy and the security measures necessary to keep corporate data safe. HR and IT must act jointly to communicate employee roles and responsibilities. This includes program onboarding and additional training at least once a year to reinforce or update your policy. Periodic changes to your organization's policy should be expected. It's imperative that employees are notified of any new policy changes and that they're educated about the impact of those changes on how they use their devices for company business.

6. Establish Support Structure
You should establish clear guidelines about who is responsible for device and application troubleshooting as well as maintenance. Is your users' corporate mail client crashing? If it's an enterprise application, then your IT department probably will need to provide support to correct the problem. Did a user drop his or her laptop in the pool? Your IT department may need to provide a loaner unit to ensure business continuity. A proper support structure will ensure that devices are properly maintained and that your business is not negatively affected by a missing or damaged device. 

7. Develop Decommissioning Strategy
Because a device is personally owned, it will not be returned to the company when the employee leaves. Therefore, you must have an established policy for decommissioning employee devices. Before a user is allowed to conduct company business using his or her personal device(s), this policy must be clear to the device owner and strictly enforced to ensure the security of your corporate data. When developing your decommissioning strategy, consider what you want to do with the data contained on the device when the user leaves your organization. Determine who within your organization should get the data before you decommission the device. Do you want to save a copy of the data to a thumb drive, other storage device on your network, or in the cloud? Determine if the device will be selectively wiped of corporate-only data, or in the case of termination, wiped of all data. No one wants to have his or her device wiped of personal data when expecting only corporate data to be removed.

The benefits of BYOD to businesses and employees are many. To set up your organization for success with BYOD, now is the time to ensure that your policies and technology work in harmony so that BYOD works for all. 

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Peter Merkulov serves as Chief Technology Officer at Globalscape. He is responsible for leading product strategy, product management, product marketing, technology alliances, engineering, and quality assurance teams. Merkulov has more than 16 years of experience in the IT ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.