Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/10/2018
02:30 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Pairing Policy & Technology: BYOD That Works for Your Enterprise

An intelligent security policy coupled with the right technology can set you up for success with BYOD.

By 2020, 90% of global enterprises will have implemented business processes that depend on a mobile device, according to Gartner. From both a security and a compliance perspective, this makes data governance more difficult. The bring-your-own-device (BYOD) trend is not about the mingling of corporate and personal devices, operating systems, and data for the convenience of employees; it's a true business benefit that can be achieved only when policy and technology work together.

Strong Policies Reduce Risks
It's critical to establish strict policies and a clear BYOD strategy to ensure that sensitive corporate assets aren't carried away on workers' personal devices and that the risks of BYOD don't outweigh the rewards. Embracing BYOD — and having a strong plan that considers internal policy and technology — can help your organization take advantage of the trend's benefits while reducing the dangers of shadow IT and related issues.

To take steps toward a strong BYOD plan, IT leadership should consider the cultural aspects of the organization, costs, regulatory issues, and associated risks to effectively expand mobility across the enterprise. Further, it's important to establish and communicate, across the organization, guidelines or restrictions specifying which devices are authorized for use within the corporate infrastructure, and clearly defined business-use policies regarding ownership, reimbursement, security, support, and other expectations.

Consider these practices to ensure that policy and technology are working in unison:

1. Determine Approved Devices
Which devices are fair game for your BYOD policy? Your short list of approved devices should include the popular, enterprise-ready devices in common use. You may choose to approve specific devices, or specific operating systems, if they meet your baseline security requirements. Make your decisions based on the manageability of the OS and your application strategy. If you belong to a multinational organization, remember that devices vary from country to country.

2. Define Reimbursement Rules
The perception that a BYOD strategy will save you money by passing on the cost of hardware, and even monthly service, to the user is incorrect. There are many more cost-related items to consider when defining reimbursement rules. Some items to include in your BYOD policy are:

  • Device costs, including repairs, replacement, and insurance
  • Payment of voice and data plans, including roaming charges when an employee travels
  • Accessories and support

3. Specify Ownership Rights
Data is more important than ever, and a BYOD policy may test the effectiveness of your enterprise data management initiatives. Your policies should make clear that ownership of all corporate data on the devices and the applications your workers use in support of their role at your organization are your intellectual property. Allowing access to corporate data on personal devices means that your organization will be exposed to privacy laws, which vary significantly around the world, and are intended to protect the employee. Countries in the European Union have the most restrictive privacy laws and regulations, and as such, require more due diligence before rolling out a BYOD initiative.

4. Set Security Stance
Security postures cover both the physical security of a device and the data on it. Security policies should extend to cover jailbroken or rooted devices, malware, and lost or stolen devices. In the case of lost or stolen devices, companies must determine whether they would wipe only corporate data or all data on the device. Other tricky decisions, like whether to enable GPS tracking on devices, must be carefully considered. While this might assist in the recovery of a lost or stolen device, it may give employees an uneasy feeling and/or violate privacy regulations. 

5. Communicate Clear Expectations
Success or failure of any change management initiative relies on proper communication. Employees must understand the boundaries of the BYOD policy and the security measures necessary to keep corporate data safe. HR and IT must act jointly to communicate employee roles and responsibilities. This includes program onboarding and additional training at least once a year to reinforce or update your policy. Periodic changes to your organization's policy should be expected. It's imperative that employees are notified of any new policy changes and that they're educated about the impact of those changes on how they use their devices for company business.

6. Establish Support Structure
You should establish clear guidelines about who is responsible for device and application troubleshooting as well as maintenance. Is your users' corporate mail client crashing? If it's an enterprise application, then your IT department probably will need to provide support to correct the problem. Did a user drop his or her laptop in the pool? Your IT department may need to provide a loaner unit to ensure business continuity. A proper support structure will ensure that devices are properly maintained and that your business is not negatively affected by a missing or damaged device. 

7. Develop Decommissioning Strategy
Because a device is personally owned, it will not be returned to the company when the employee leaves. Therefore, you must have an established policy for decommissioning employee devices. Before a user is allowed to conduct company business using his or her personal device(s), this policy must be clear to the device owner and strictly enforced to ensure the security of your corporate data. When developing your decommissioning strategy, consider what you want to do with the data contained on the device when the user leaves your organization. Determine who within your organization should get the data before you decommission the device. Do you want to save a copy of the data to a thumb drive, other storage device on your network, or in the cloud? Determine if the device will be selectively wiped of corporate-only data, or in the case of termination, wiped of all data. No one wants to have his or her device wiped of personal data when expecting only corporate data to be removed.

The benefits of BYOD to businesses and employees are many. To set up your organization for success with BYOD, now is the time to ensure that your policies and technology work in harmony so that BYOD works for all. 

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Peter Merkulov serves as Chief Technology Officer at Globalscape. He is responsible for leading product strategy, product management, product marketing, technology alliances, engineering, and quality assurance teams. Merkulov has more than 16 years of experience in the IT ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0828
PUBLISHED: 2020-02-21
Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BM...
CVE-2012-0844
PUBLISHED: 2020-02-21
Information-disclosure vulnerability in Netsurf through 2.8 due to a world-readable cookie jar.
CVE-2013-3587
PUBLISHED: 2020-02-21
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses...
CVE-2012-6277
PUBLISHED: 2020-02-21
Multiple unspecified vulnerabilities in Autonomy KeyView IDOL before 10.16, as used in Symantec Mail Security for Microsoft Exchange before 6.5.8, Symantec Mail Security for Domino before 8.1.1, Symantec Messaging Gateway before 10.0.1, Symantec Data Loss Prevention (DLP) before 11.6.1, IBM Notes 8....
CVE-2012-0063
PUBLISHED: 2020-02-21
Insecure plugin update mechanism in tucan through 0.3.10 could allow remote attackers to perform man-in-the-middle attacks and execute arbitrary code ith the permissions of the user running tucan.