blog hero2x

How to Develop a Bring Your Own Device Security Strategy

Jul 07, 2015

With the popularity of home offices and flexible schedules on the rise, mobility is at the forefront of many work environments. And we’re not just talking about the mobility of employees—but rather, the mobility of their electronic devices. For employees who work out of the office, a desktop and a landline don’t do them much good. Laptops, tablets and smart phones are running rampant. But unfortunately, bring your own device (BYOD) policies aren’t as plentiful. And because of that, data security breaches, lost information and costly consequences have become all too common.

Before the days of BYOD, companies and corporations supplied employees with their electronics. Therefore, it was much easier to control who had access to what data. Software updates were controlled by an IT administrator, and nothing could be on your company computer that wasn’t allowed by a higher-up power-that-be.

But mobile devices—and mobile employees—have changed this model. And because of that, mobile device policies must be put into place to protect your employees and data from being compromised in environments that your IT administrators cannot control—such as individual homes, traveling and public spaces.

Mobility of devices increases the chances of lost or stolen information. And public WiFi may not offer the level of security you need to safely conduct your business. But by developing a bring your own device security policy as soon as possible, you can help prevent some of the pitfalls associated with personal devices.

Flexibility and Productivity vs. Security Risks

One of the primary reasons employers allow employees to work outside of a traditional office is because this level of increased flexibility has the power to increase productivity. You might wonder if the flexibility of this arrangement is worth compromising data security. But why choose? With the right approach, you won’t have to sacrifice one for the other.  

Before developing any sort of IT security policy, you should conduct an IT security risk assessment. This will allow you to evaluate a BYOD policy based on:

  • Cost—Adding security comes at a cost. Is it worth it? Do the numbers work with your business? Can you justify the costs associated with your BYOD policies?
  • Productivity—If having employees using their own devices doesn’t improve your company’s productivity, then why bother allowing it?  A formal IT security risk assessment should help you figure out ways to increase productivity without sacrificing security.
  • Organization— Whenever a new policy is being developed, it’s important to have your whole staff on board and providing input. Make decisions together. Identify concerns together. Look at every aspect of your processes before your IT staff makes and begins implementing changes. Invest in BYOD training to educate employees and staff about best practices and security requirements.

When developed correctly, there are many benefits to a solid BYOD policy.

The Telegraph reports that out of the almost 90 percent of office workers who can access work email on their phones, two-thirds of them check email as soon as they wake up and right before they go to bed. If your employees are able to check work emails on personal devices like smart phones and tablets, they tend to do so 20+ more times per day and may end up working up to two extra hours each day

And beyond that, being able to consolidate devices is also important to the workflow process. It allows employees to familiarize themselves with one device and not have to worry about switching between networks, software, web history and different procedures that are dependent on their location or housed on different machines. When employees are able to choose their devices, work may become more enjoyable.

The Cost of BYOD Policies

On the surface, BYOD policies appear to save your company money. You’re not responsible for everyone’s machine ,and productivity is increasing! But after you factor in the cost of potential security risks, a possible data security breach and the training needed to implement secure software on numerous devices, is it really saving money? Or is it costing more than it’s worth?

The fact of the matter is, any mobile device policy is going to face a bevy of indirect costs. According to FireEye, the average company is exposed to harmful malware once every three minutes, with each attack costing a minimum of $3,000 per day to recover. And those are for protected devices. It’s even more frequent—and costly—for devices that aren’t currently adhering to a formal BYOD security policy.

However, the risk of not allowing your employees to use personal devices—when most of your competition does—may be a more costly error. So what’s a company to do? Develop a comprehensive IT security policy that is easy to understand, easy to implement and easy to adapt. And invest in training for your employees so that they can understand the responsibilities that come with a BYOD policy.

Information security awareness and avoidable security gaps  

Once you’ve implemented a formal BYOD policy, be sure your employees are protecting your information and systems when they use their mobile devices. The right BYOD training will act as a foundational component of your BYOD program and help your employees understand how BYOD polices relate to their individual actions and behaviors.

To avoid security gaps and data breaches, make sure your formal BYOD policy addresses the following (and all-too-common) missteps that are more likely to occur with personal devices than company-owned computers and phones:

Lost (but not found). Losing a mobile device is the biggest threat to working from a personal device. It’s easier to misplace a smartphone or a tablet than a desktop. Employers should encourage employees who are working on mobile devices to download the Find My Phone app, available for Android, iOS and Windows phones. This app can assist in locating a lost phone, and it can also lock the handset remotely to protect any information stored on the phone if it winds up in the wrong hands.

Additionally, if a lost phone is never recovered, some operating systems allow you to remotely erase all data.  But lost data (whether it’s erased or still on a missing device) can be detrimental to your company and your employee’s productivity. To help ease the repercussions associated with lost data, make data back-up a requirement. Employees can synchronize contacts and calendars onto a desktop, but using a using cloud-based system for document storage provides the most flexibility—assuming you are comfortable with this method. Cloud-backed data is accessible from any device with an Internet connection.

Viruses and malware. A common misconception is that iOS is virus-proof, therefore iPads and iPhones can’t be exposed to viruses. While they’re less likely to be exposed, the threat is still there. Viruses and malware are a threat to all devices—and if you know that, then you can take the necessary steps to protect your devices and your information.

Hack attack.With company computers, IT departments are able to maintain and monitor network security very closely. But with personal devices, this isn’t always the case. Make sure your employees do all that they can to protect their device and the data it holds by enabling password protection, two-factor authentication and where possible, data encryption.

Larger companies may be able to take security one step further by providing access to internal network resources via a VPN. This type of set-up allows data to be securely stored on the company network where corporate backup strategies can be implemented. It also provides a strong encryption between the device and server, making public networks less of a security threat.

Develop a BYOD security policyto prioritize security without alienating employees

We’ve discussed some ways to promote information security awareness and close security gaps, but one last thing to note is that it’s important to do that without alienating employees and impeding their productivity. Implementing MDM (mobile device management) could be a viable part of your BYOD policy. 

With MDM, IT departments use the already-existing security features of personal devices (accessible through the network) to enhance the devices’ functionality and overall employee performance. An MDM can help prevent a security data breach by protecting your business data, thus saving your business money. Additionally, this type of software is able to monitor the use of the device during business hours to ensure that it’s being used for work purposes.

And if an MDM plan doesn’t fit into your BYOD policy, you can also consider implementing COPE (corporate-owned, personally enabled) devices. This type of policy promotes the personalization and productivity aspect of BYOD, but carries a reduced risk since employees are working on corporate devices.

COPE gives companies more control over which devices are supported and what controls are in place on the device, but still allows employees who want to personalize their device a chance to do so. Employees can send personal emails, access social media, and download photos, but corporate-applied controls are in place to protect business-related information from getting lost or transmitted through less secure means. Additionally, IT department controls can remotely wipe the device if it’s lost or if the employee no longer needs it.

There’s a lot to think about when it comes to developing a BYOD policy for your company. But knowing that one needs to be developed—and implemented—is a no-brainer. Start protecting your employees and your business with a comprehensive BYOD policy ASAP!

Workplace Answers &
Click 4 Compliance Join Forces

We’ve created the world’s most comprehensive and engaging online compliance training library for companies around the globe.

Learn more View courses

We're sorry this resource is no longer available, we've redirected you to our Resource center.