By 2020, 90% of global enterprises will have implemented business processes that depend on a mobile device, according to Gartner. From both a security and a compliance perspective, this makes data governance more difficult. The bring-your-own-device (BYOD) trend is not about the mingling of corporate and personal devices, operating systems, and data for the convenience of employees; it's a true business benefit that can be achieved only when policy and technology work together.
Strong Policies Reduce Risks
It's critical to establish strict policies and a clear BYOD strategy to ensure that sensitive corporate assets aren't carried away on workers' personal devices and that the risks of BYOD don't outweigh the rewards. Embracing BYOD — and having a strong plan that considers internal policy and technology — can help your organization take advantage of the trend's benefits while reducing the dangers of shadow IT and related issues.
To take steps toward a strong BYOD plan, IT leadership should consider the cultural aspects of the organization, costs, regulatory issues, and associated risks to effectively expand mobility across the enterprise. Further, it's important to establish and communicate, across the organization, guidelines or restrictions specifying which devices are authorized for use within the corporate infrastructure, and clearly defined business-use policies regarding ownership, reimbursement, security, support, and other expectations.
Consider these practices to ensure that policy and technology are working in unison:
1. Determine Approved Devices
Which devices are fair game for your BYOD policy? Your short list of approved devices should include the popular, enterprise-ready devices in common use. You may choose to approve specific devices, or specific operating systems, if they meet your baseline security requirements. Make your decisions based on the manageability of the OS and your application strategy. If you belong to a multinational organization, remember that devices vary from country to country.
2. Define Reimbursement Rules
The perception that a BYOD strategy will save you money by passing on the cost of hardware, and even monthly service, to the user is incorrect. There are many more cost-related items to consider when defining reimbursement rules. Some items to include in your BYOD policy are:
- Device costs, including repairs, replacement, and insurance
- Payment of voice and data plans, including roaming charges when an employee travels
- Accessories and support
3. Specify Ownership Rights
Data is more important than ever, and a BYOD policy may test the effectiveness of your enterprise data management initiatives. Your policies should make clear that ownership of all corporate data on the devices and the applications your workers use in support of their role at your organization are your intellectual property. Allowing access to corporate data on personal devices means that your organization will be exposed to privacy laws, which vary significantly around the world, and are intended to protect the employee. Countries in the European Union have the most restrictive privacy laws and regulations, and as such, require more due diligence before rolling out a BYOD initiative.
4. Set Security Stance
Security postures cover both the physical security of a device and the data on it. Security policies should extend to cover jailbroken or rooted devices, malware, and lost or stolen devices. In the case of lost or stolen devices, companies must determine whether they would wipe only corporate data or all data on the device. Other tricky decisions, like whether to enable GPS tracking on devices, must be carefully considered. While this might assist in the recovery of a lost or stolen device, it may give employees an uneasy feeling and/or violate privacy regulations.
5. Communicate Clear Expectations
Success or failure of any change management initiative relies on proper communication. Employees must understand the boundaries of the BYOD policy and the security measures necessary to keep corporate data safe. HR and IT must act jointly to communicate employee roles and responsibilities. This includes program onboarding and additional training at least once a year to reinforce or update your policy. Periodic changes to your organization's policy should be expected. It's imperative that employees are notified of any new policy changes and that they're educated about the impact of those changes on how they use their devices for company business.
6. Establish Support Structure
You should establish clear guidelines about who is responsible for device and application troubleshooting as well as maintenance. Is your users' corporate mail client crashing? If it's an enterprise application, then your IT department probably will need to provide support to correct the problem. Did a user drop his or her laptop in the pool? Your IT department may need to provide a loaner unit to ensure business continuity. A proper support structure will ensure that devices are properly maintained and that your business is not negatively affected by a missing or damaged device.
7. Develop Decommissioning Strategy
Because a device is personally owned, it will not be returned to the company when the employee leaves. Therefore, you must have an established policy for decommissioning employee devices. Before a user is allowed to conduct company business using his or her personal device(s), this policy must be clear to the device owner and strictly enforced to ensure the security of your corporate data. When developing your decommissioning strategy, consider what you want to do with the data contained on the device when the user leaves your organization. Determine who within your organization should get the data before you decommission the device. Do you want to save a copy of the data to a thumb drive, other storage device on your network, or in the cloud? Determine if the device will be selectively wiped of corporate-only data, or in the case of termination, wiped of all data. No one wants to have his or her device wiped of personal data when expecting only corporate data to be removed.
The benefits of BYOD to businesses and employees are many. To set up your organization for success with BYOD, now is the time to ensure that your policies and technology work in harmony so that BYOD works for all.
- Android Security Apps for BYOD Users
- Can Android for Work Redefine Enterprise Mobile Security?
- The Mobile Threat: 4 out of 10 Businesses Report 'Significant' Risk
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.