Bring your own device (BYOD) practices are on the rise; by 2017, half of business employees will be providing their own devices, according to Gartner.
Rolling out a BYOD program isn’t easy and the security risks are very real, but putting a security policy in place will mean the potential for cutting costs and increasing productivity in the long run. Here are seven things you need to consider when drafting a BYOD security policy. (Learn more about BYOD in 5 Things to Know About BYOD.)
The Right Team
Before setting out any kind rules for BYOD in the workplace, you need the right team to draft the policies.
"What I’ve seen is someone from HR will draft the policy, but they don’t understand the technical requirements, so the policy doesn’t reflect what the companies do," says Tatiana Melnik, an attorney in Florida specializing in data privacy and security.
The policy should reflect the business’s practices and someone with a technological background needs to lead the drafting, while representatives from legal and HR can offer advice and suggestions.
"A company should consider if they need to add additional terms and guidance in the policy for example, relating to use of Wi-Fi and allowing family members and friends to use the phone," Melnik said. "Some companies choose to limit the kind of apps that can be installed and if they enroll the employee’s device into a mobile device management program, they’ll list those requirements."
Encryption and Sandboxing
The first vital cog to any BYOD security policy is encryption and sandboxing the data. Encryption and converting the data into code will secure the device and its communications. By using a mobile device management program, your business can segment device data into two distinct sides, business and personal, and prevent them from mixing, explains Nicholas Lee, senior director of end user services at Fujitsu America, who has headed up BYOD policies at Fujitsu.
"You can think of it as a container," he says. "You have the ability to block copy-and-paste and transferring data from that container to the device, so everything that you have that is corporate-wise will stay within that single container."
This is particularly helpful for removing network access for an employee who has left the company.
As a business, you may need to ask yourself just how much information employees will need at a certain time. Permitting access to emails and calendars may be efficient, but does everyone need access to financial information? You must consider how far you need to go.
"At some point, you may decide that for certain employees, we’re not going to permit them to use their own devices on the network," Melnik said. "So, for example, [if] you have an executive team that has access to all corporate financial data, you may decide that for people in certain roles, it’s not appropriate for them to use their own device because it’s too difficult to control it and the risks are too high and that’s OK to do that."
This all depends on the value of the IT at stake.
The Devices at Play
You can’t just open up the floodgates to any and all devices. Make a shortlist of devices that your BYOD policy and IT team will support. This may mean restricting staff to a certain operating system or devices that meet your security concerns. Consider polling your staff on whether they are interested in BYOD and what devices they would use.
William D. Pitney of FocusYou has a small staff of two at his financial planning firm, and they’ve all migrated to iPhone, having previously used a mix of Android, iOS and Blackberry.
"Before migrating to iOS, it was more challenging. Since everyone chose to migrate to Apple, it’s made managing security much easier," he said. "In addition, once a month, we discuss iOS updates, installing apps and other security protocols."
In May 2014, California’s senate approved legislation that will make "kill switches" – and the ability to disable phones that have been stolen – mandatory on all phones sold in the state. BYOD policies should follow suit, but your IT team will need the capabilities to do so.
"If you need to find your iPhone … it’s almost instantaneous with the GPS-level quadrant and you can basically wipe the device remotely if you lose it. The same thing goes for a corporate device. You can basically remove the corporate container from the device," Lee said.
The challenge with this particular policy is that the onus is on the owner to report when their device is missing. That brings us to our next point …
Security and Culture
One of the major benefits of BYOD is that employees are using a device they’re comfortable with. However, employees can fall into bad habits and may end up withholding security information by not disclosing issues in a timely manner.
Businesses cannot jump to BYOD off the cuff. The potential money-savings are appealing, but the possible security disasters are much worse. If your business is interested in using BYOD, rolling out a pilot program is better than diving in head-first.
Much like FocusYou’s monthly meetings, companies should regularly check in on what’s working and what isn’t, especially as any data leak is the business’s responsibility, not the employee’s. "Generally it’s going to be the company that’s responsible," says Melnik, even if it’s a personal device in question.
The only defense a company may have is a "rogue employee defense," where the employee was clearly acting outside the scope of their role. "Again, if you’re acting outside the policy, then you have to have a policy in place," says Melnik. "That won’t work if there’s no policy and no training on that policy and no indication that the employee was aware of that policy."
This is why a company should have data breach insurance policies. "The way breaches are happening all the time, it’s risky for companies not to have a policy in place," adds Melnik. (Learn more in The 3 Key Components of BYOD Security.)
Codifying the Policy
Iynky Maheswaran, head of mobile business at Australia’s Macquarie Telecom, and author of a report called "How to Create a BYOD Policy," encourages advance planning from a legal perspective as well as a technological one. This brings us back to having the right team.
Melnik reaffirms the need to have a signed employer/employee agreement to ensure policies are adhered to. She says it must be "clearly articulated for them that their device has to be turned over in the event of litigation, that they’re going to make the device available, that they’re going to use the device in accordance to the policy, where all of these factors are acknowledged in a document that’s signed."
Such an agreement will back up your policies and give them much more weight and protection.