Managing End Device Security | Is Your BYoD Policy Safe?
It’s becoming more and more common for companies to introduce a ‘bring your own device’ (BYoD) policy for their employees. Allowing employees to make use of their own laptops, tablets or smartphones for company business has many advantages, but there are also a range of downsides to the practice.
If your company is considering implementation of BYoD, it’s highly recommended that you talk to a consultant who can plan and implement a secure policy. However, if you want to try it on your own then it’s vital that you understand the operational, security and managerial pros and cons of the decision, and the ramifications to your practices as well as your employees.
Why BYoD?
While the idea might sound like a win for companies on the surface, particularly for smaller businesses, there’s more at stake than simply convenience and saving on the cost of purchasing technology. There are all kinds of run-on effects to having an employee use their own device for work purposes, with issues surrounding security, data safety and IT support at the forefront.
Firstly, let’s look at the benefits. Not having to purchase multiple devices across the company is, of course, one of the main pros. While there are exceptions, in general, most people already own the technology devices required - like a laptop, tablet or smartphone. In addition, it’s fairly well accepted that people tend to take better care of their own devices as opposed to a company owned one, so there’s less in the way of loss and replacement costs.
Another benefit to using their own device is that the employee won’t usually need any training on new or unfamiliar operating systems, as they’re already adept at using the device. In addition there’s often more motivation to invest in the latest technology if it’s for personal use. (It’s also noted that many employees actually prefer using their own device and not having to juggle two different platforms or systems.)
The Risks to Security and Privacy
But what about the disadvantages? There are multiple aspects you need to consider carefully on a case by case basis before implementing the policy.
There’ll be a lot more complexity around providing IT support if employees are running on multiple systems and devices. Updating software can become a problem due to compatibility issues, as well.
There’s also the issue of privacy, not only during the person’s employment, but beyond. You need to determine how (and indeed if) you can keep your company data private when it’s stored and accessed on an employee’s device, and also, once they leave, what will happen to things like a phone number, which may have been used for clients/suppliers to contact. This is particularly pertinent, as employees will often leave to go and work for a competitor - and you have no jurisdiction over a client inadvertently calling the employee’s private device.
Above all, you need to consider the potential technology security risks a BYoD policy can open you to, and these will vary depending on the sensitivity of the data you deal with. If an employee is using a company owned device, it’s easy to put regulations in place as to how, when and for what purpose they can use it. But when it’s their own equipment you can’t impose those restrictions. Your data could easily be at the mercy of the person’s behaviour and practices - making it very hard to maintain a guarantee of security. And, again, when an employee leaves the company you need to make sure any confidential information is removed without encroaching on personal photos and documents. The logistics of that can be quite challenging.
Making BYoD as Safe and Workable as Possible
There are ways of making BYoD as secure as possible and, once you’ve assessed the potential risks (and your tolerance level), you’ll need to develop a robust policy that covers both employee and company responsibilities. It needs to be based on a range of variables, which include what tasks the devices will be used for, what data will be exposed, how much control the employee will allow over their personal device and how easily the policy can be enforced.
Once you’ve established your policy goals you’ll need to determine the most appropriate and effective technical controls to enforce it. To do this you should understand/decide what kind of access will be permitted, minimum software and hardware standards, authentication process to access services, what access/data should be restricted, and how the policy will be enforced.
While there are myriad technological controls available, there are some approaches that are relatively easily implemented.
For smartphones and tablets:
Corporately owned and personally enabled (COPE) access. The company has full control of the device and allows personal use, however the device needs to be wiped before this mode can be activated.
Personally owned, partially managed. This mode provides less control for management but the device does not need to be wiped in order to activate.
Personally owned with managed container applications. A third party ‘container application’ is utilised, and all the company work is carried out within that application.
For laptops and desktops:
For laptops and desktops it’s much more common to use bootable media, remote apps and web access.
Bootable media allows the user’s device to be taken into the central managed workspace environment via a third party product.
Users can log in and connect remotely to a desktop environment or an application on a remote server. This can be via a web browser or locally installed client application.
You can also set up to allow users to access corporate data hosted on a public cloud. This usually requires the device to be managed by the corporation.
Future Proofing
While BYoD is definitely of great benefit in many cases, it’s important that you do your due diligence to ascertain if it’s right for your business, that you can maintain security of your comms, and if you have the facility to enforce a policy that minimises your risk by managing or locking down personal devices. Alongside the technical controls you’ll need to make decisions about how to handle devices/data security when employees leave.
You can’t afford to implement a BYoD policy without understanding its ramifications on your cybersecurity, so get in touch with Defended Solutions and we can help with advice and guidance that’s right for your individual situation.