Before smartphones and tablets began flooding the technology market, information security was a lot easier to manage – employees were assigned a company computer and this had any relevent security and network control software installed on it. Today, we have PDA users wanting to use their devices for company tools such as email. How does the company control devices, ownership of information, support and other issues arising? Read on to find out more…
When your company opens its gates to embrace personal mobile technology, it’s very important to bear in mind the can of worms that will open all over the IT department’s desk…not that this should discourage you from allowing personal devices to be used. Personal devices are not limited to smartphones and tablets – they encompass USB drives, memory cards and personal computers too.
These are key questions that IT departments need to think about:
- Will the company be liable to contribute towards the cost of the device or associated service contract? If so, who owns the data on the device and what happens to it, and it’s phone number when an employee leaves?
- Who is responsible for the device’s support? The internal IT department? This will need extra training. If you direct users to the manufacturer, expect and endless loop of responsibility ping-pong.
- How do you secure company data on devices? A 4-digit PIN is hardly likely to survive very long in a DoS attack.
- Who is responsible for backing up the device?
- How do you secure your company network? There is no way to control what people download or which websites they visit on a personal device.
- Who pays for a device if it is lost, damaged or stolen? Does it depend on the context it was being used for at the time?
- Who is responsible for anti-malware on the device? It is common belief that iPhones for example, are very secure but a recent study has found over 160 loopholes in it’s security.
- Can the IT department remotely wipe the device including personal information, if it is compromised?
- What measures will you use for misuse of a personal device on a network?
All this needs to be thought about now, if you are not already because all it takes is one person to leave their device on the metaphorical bus or to download an insecure version of an application and a hacker could be into your company email, file share or worse still, servers.
So, introducing the BYOD policy…No matter whether you are a global corporation who’s policy is ‘no personal devices can ever be used’ or a small firm with 10 users wanting to get access to email from home, or anywhere in between – you all need a policy that will meet YOUR business requirements.
Don’t be tempted down the route of not allowing devices at all, because studies have shown huge surges in productivity for those companies who allow personal devices. I, for one use mine for work – I have an iPhone and I’d be very restricted without it, when keeping track of incoming emails at home before and after work. Some people use it for company cloud tools – web-based time management software or CRM tools. These lend themselves well to tablet screens.
A suggested route to creating a successful BYOD policy is compromise. Suggest to employees that the company is not ‘forcing’ you to use you personal device, but if you would like the luxury of doing so, you must adhere to a certain set of rules. That way, employees will volunteer themselves and there is no grey area to be had. It also means that IT staff are not forced to learn new technology – they can try, but there is no guarantees. Having said that, I’d like to meet an IT support technician who isn’t intuitive enough to pick up and fix just about any personal device!
USB and flash drives should be used with caution – encrypted devices are a well recommended practice and allowing personal USB drives should be permitted once having them checked by IT. The difficulty with a BYOD policy is juggling the convenience with the restrictions. They are not intended to make life difficult and it is very hard to track any specific rules, without complex network monitoring.
However, to be able to enforce your BYOD effectively, you will need to be able to detect misbehaviour. As soon as employees see that your BYOD policy is not monitored, it invalidates it, and only protects the company, once the damage has been done, through a security breach or otherwise. You will need to be able to remotely wipe devices too – depending on your server software – Microsoft Exchange 2007 onwards has the ability to remotely wipe accounts and all related data from a personal device.
When considering the thought of needing to wipe someone’s personal device – you will need to have drawn up a clause in your BYOD to make sure employees are agreeing to the risk – employees need to be aware of who is responsible for backing up data too – in the event of data loss, this could be crucial.
The hard truth about network do’s and dont’s for employees is that there is a very limited amount that the IT department can do, ahead of disciplining on a reactionary basis. If your employees know the password of your internal wireless (which they most likely will do), there is nothing stopping them connecting their tablet to it – and there is certainly no control over what they have downloaded on it outside the office. It is highly advised to have a guest wireless which will remain outside your company firewall, and let employees to connect non-company devices to it – after all, it’s the same principle employed for visiting clients or customers.
Overall – although this article could seem like scaremongery, it most certainly is not – a company with a successful BYOD policy (whatever your restrictions) and associated monitoring measures is likely to see their profitability skyrocket over the following months. So in my opinion, is it worth it? Yes – absolutely.