Lower costs, improved productivity, and happier employees are just some of the benefits that come from a “bring your own device” (BYOD) policy — but it's not all good news. With your employees supplying their own devices, security risks from data leaks and lost or stolen devices are a real and present danger. As a result, some take a heavy-handed approach to BYOD policymaking. That iron grip, however, can do more harm than good and result in increased complications with keep their data secure, accessible, private, authentic, and secure.
More than 75 percent of businesses now have BYOD policies in place. However, many of these businesses are still scrambling to balance the benefits of these policies with the potential risks to security. So how can IT pros devise a BYOD strategy that delivers the pros while avoiding the cons of insecure personal devices? Here are six guidelines to create the perfect BYOD policy for your business:
1. Learn from Existing Policies
Before creating a BYOD policy, take a look at your company’s existing HR and legal procedures. Many email, VPN, and remote access security policies can be easily adjusted to apply to employees’ mobile devices, as well. Keep in mind, companies in highly regulated industries such as financial services, government, and healthcare will need more comprehensive mobile device management (MDM) than companies in other industries.
2. Provide Training and Education
Your employees are using personal devices at work, whether you realize it or not. Employees often use file-sharing and other tools of their choosing without IT's knowledge, which quickly puts sensitive corporate data at risk. As you build out your BYOD policy, focus on training employees how to correctly use their applications, where and when to back up data, and how to identify (and avoid) security risks. This training will help ensure that your employees follow standard security procedures.
3. Specify Approved Devices
BYOD isn’t limited to smartphones. According to Gartner, a "new norm" is emerging in which employees manage up to four or five devices at work. In most cases, your security procedures will need to increase in sophistication with each additional device type you allow. Ensure that your IT team is equipped to handle the specific concerns that arise with each type of device.
4. Enforce Passwords and Encryption
Make it easy for employees to protect themselves and your data by requiring a password or PIN number. The necessary complexity of the PIN or password will depend on the sensitivity of the information that needs to be protected, as well as the type of company systems employees can access on their devices. That said, passwords aren't foolproof. Data encryption is a wise additional security measure that can help prevent confidential data from being accessed in the event of a lost or stolen device. For an extra layer of security beyond that, consider modern services that use blockchain to help ensure the authenticity of files, guarding against unexpected, unauthorized alterations.
5. Define IT's Role
A smart BYOD policy doesn’t mean IT is off the hook. Successful policies rely on IT and employees sharing the weight of security obligations. IT will likely need to help set up email, applications, and company networks on employee devices and help decide which applications are allowed, and which are banned. After all, IT pros are best qualified to analyze the security and legal risks of social media, email, and other applications.
6. Set Ownership Expectations
Employees often fail to realize that all data on their devices is discoverable, regardless of whether the device is personal or company-owned. The question of who owns what is still a legal gray area, though companies increasingly take the liberty to remote wipe employees' personal devices once they leave their job. Avoid the guessing game with a clear exit strategy. Employees should know what data, applications, and potentially private information could be removed when they leave the company, voluntarily or not.
When it comes down to it, a sound BYOD policy should be as simple and transparent as possible. IT leaders should enforce rules and regulations so employees take them seriously, and use the policy as an opportunity to teach employees how to correctly use and manage their devices.
[Image via CanStock]