“Bring Your Own Device” Policies
In our increasingly connected world, the line between business technology and personal technology is becoming more and more blurred. Most employees now use at least one of their connectivity devices – usually a phone – for both business and personal activities.
While at most businesses this is allowed, and at a few it might even be encouraged, it results in additional security issues for an IT department, who already struggle to keep up with technology advancements and a rotating roster of employees.
This bring-your-own-device (BYOD) culture also has a darker side. When it’s not fully acknowledged and regulated, it can threaten a company’s network security and leave its sensitive data at risk.
BYOD is driven by the fact that most employees already own and use personal laptops, tablets and smartphones. The desire to pare down these devices and use a single device for as much activity is only natural. Who wants to carry two laptops, or even two phones?
In many cases, when personal devices are used for business purposes, they are newer and more advanced than the equipment deployed at most businesses. Therefore, IT departments might be inclined to refuse the BYOD idea. For them, it’s simpler to provide approved hardware and software applications that allow them to retain full control over them.
Increasingly, though, it’s getting harder and harder to stem the tide of personal technology creeping into business territory.
BYOD – the good
A BYOD strategy has multiple advantages. The flexibility and comfort it offers employees makes them happier, and (hopefully) more productive. The cost savings to the business, in terms of fewer device maintenance issues and reduced hardware expenditures, can be sizable.
BYOD – the bad
It comes down to one word – security. Businesses need to consider the implications of allowing sensitive corporate data to be accessed on personal devices that in most cases they could have little or no control over. Decisions must be made concerning what data can employees have access to and what security measures must be implemented if an employee’s device is lost or compromised.
Even though there are hardware cost savings with BYOD, there might be other cost implications to consider. Companies that allow BYOD also need to consider that their internal networks need to integrate and support the increasingly diverse range of employee devices. Android, iOS, Nokia, Windows, Mac, PC, etc., etc. It can be a lot to consider, and they all have to interface with a business network.
The ultimate risk a business may run is to not have any sort of BYOD policy in place. By ignoring the issue, they may unwittingly expose themselves to both inadvertent and purposeful threats.
Planning a BYOD policy
A BYOD policy governs the management of unsupported devices. Protecting network security is the most important aspect of a BYOD policy. At the very, very least, a BYOD policy should include password protecting employee devices and regular updates of those passwords. Effective BYOD policies might involve the encryption of sensitive data, disallowing local storage of corporate documents and limiting access to both sensitive and non-sensitive data storage areas.
Any BYOD policy should also be scalable and manageable, allowing it to grow with an organization as its mobility strategy does.
Beyond hardware and access issues, attention must be given to applications. Establishing secure app-to-app workflows is an important part of a BYOD policy.
An effective BYOD solution will enable you to secure the data, along with the device. The key issue is to guard against data loss or compromise.
BYOD solutions can range from the most exhaustive – which take into account every device/software/access configuration and are continually monitored and updated – to the most lightweight that only lay out prescribed policies and rely on the proactive adherence of individual employees.