30 Sep Bring Your Own Device Security Policies

Bring your own device (BYOD), refers to the policy of permitting employees to bring personally owned devices (laptops, tablets and smart phones) to their place of work, and use those devices to access privileged company information and applications.

BYOD is becoming more and more significant in the business world, with about 75% of employees in high growth markets already using their own devices at work. In most cases, businesses just can’t block the trend. In other cases, businesses claim it increases employee morale and convenience by using their own devices and makes the company look like a flexible and attractive employer.

A recent Harris Interactive Poll found that more than 50% of employees use portable devices to take sensitive information outside the company walls. Several companies allow employees to use those devices and have an encryption policy for them. However, only 34% actually enforce those policies on personal devices.

Another survey done by SolarWinds and Network World isn’t anymore promising. Interviewing 400 IT professionals about BYOD, more than 65% said they don’t have the necessary tools in place to manage personal devices on their corporate network, and 27% said they aren’t certain of all the personal devices that are accessing the network.

In most cases it seems like companies are telling their employees “Here, we trust you to be safe with your device and we know you won’t do anything foolish to compromise the network or corporate data.” You are setting yourself up for the failure of your company’s security system if you don’t think developing and enforcing BYOD security is of the utmost importance.

People are careless, a perfect example of this fact is the number of phones that are lost everyday. People are also nosy. They will look over your shoulder to see what you are doing on your device. Too many people don’t bother with even the simplest level of security.

Businesses would be wise to just assume the following:

• Don’t bother hiring a penetration tester. Save your money and just assume they will be able to get in, 75% of businesses have suffered data loss from negligent or malicious insiders at some point.

• Employees will use their personal devices on the corporate network, even if they are told not to. More than 50% of employees use portable devices to take confidential data out of their companies every day.

• Your employees value convenience more than security. If a security policy is overly inconvenient, your employees will find a way around it. Don’t underestimate the ingenuity of employees looking to circumvent procedures that slow them down.

• Flash drives will be lost, and your IT department will never know about it, or won’t find out until it is too late. Losing a $10 flash drive can be even worse than losing a laptop. Stolen or lost laptops are reported, $10 flash drives are quietly replaced by the employee that lost it. The best way to avoid this is to use encrypted flash drives or don’t use them at all. Currently only 35% of companies enforce data encryption on company issued devices.

• A company’s first and last line of defense against a security breach is its own employees. Training employees on good security practices offers a company the most bang for the buck. Everyone should learn how to recognize phishing attacks and fake anti-virus software advertisements. As with everything else in life, if it sounds too good to be true, you are guaranteed it is.

When does corporate security cross the line of personal privacy?

It is very easy for companies to cross the line of personal privacy while trying to implement a rigorous data security plan regarding BYOD. In the beginning, many employees felt like the companies they worked for were acting too much like “Big Brother” and becoming too involved in their personal lives with the security measures they were implementing.

These issues prompted companies to add more granular policies and tools, like creating some mobile device management products to be configured to collect and display location along with call histories from corporate devices, but not BYODs. These options emerged because employers with an international presence face additional risks when it comes to privacy regulations.

This also lead to companies implementing BYOD enrollment portals, where user and device eligibility is determined. Users must agree to give IT some control, for example, if a user’s device goes missing they must call IT so the device can then be wiped before it falls into the wrong hands.

These controls are widely embraced by companies today as a standard for all devices being used in the workplace. However, BYOD success or failure lies in policy specifics. Many people treat smartphones as an extension of their desktop. However, most users don’t have the patience to tap in several character passcodes, especially where frequent re-entry is concerned.

To ensure the safe and effective use of BYOD in companies, IT and security teams should work together to assess emerging tools including data containers and sandboxed apps, while getting started with basic controls. If you aren’t addressing the concerns that arise with a BYOD policy you need to start, most of the significant risks can be addressed at relatively low cost.