Bring your own device (BYOD) is no longer a trend but a fixture in today’s business world. Employees are now purchasing the latest smartphones, and employers — your clients — are taking advantage of that situation. Because of the savings in hardware and software purchases for the employer coupled with instantaneous access to employees, an “open door” policy has erupted towards these devices; yet security policies have not caught up and are leaving IT departments with growing concerns.
The biggest security threat that exists — and always has — for IT departments is the employees themselves. Employees can be the first line of defense or the primary source of the problem. I have learned that you have to protect the employees from no one other than themselves; people tend to be very relaxed around the idea of security. Security is often seen as something that is not needed as the consequences that arise from not having it do not apply to them.
Have you ever encountered that situation where you are setting up a brand new smartphone and you ask the user what they want this passcode for the phone to be? You wait for the response but you are met with, “Why do I need a passcode?” If you are an IT provider who subscribes to the no policy is a good policy, think again. Trusting the security of the organization to an employee’s ability is a recipe for disaster as well as a financial liability.
So what are the options? If you cannot trust the employees to do their part — it’s completely up to you. As a provider of IT services it is your job to create and enforce policies around BYOD. With the lack of proper protocol and procedures employees are left to their own thoughts of what is appropriate to do with their devices.
The first thing you have to do is determine what you want employees to have access to from their devices. Does the user need to access e-mail/calendaring services, company apps, internal resources, and/or line of business applications?
Next determine the layers of authentication needed. Traditionally, authentication is two-factor. With the possibility of an employee’s device not being in their possession and being “unlocked,” you need to protect company data from that type of user error. Multifactor authentication is the way to go. Not only is the device protected by an individual passcode, but an added layer of protection is added whenever they are accessing the company data to verify the authenticity of the user connected.
Control is always a topic that raises eyebrows. How much control do you want or need to have over a user’s device? Do you want to control the device as if it is a company asset? Or do you just want to control the work data? In a BYOD setting you only need control over the work data. Utilizing containerization we can segregate all work related data away from the user’s personal data. There are situations when a remote wipe is unavoidable. Such as if a device is lost, stolen or the employee terminates/leaves the company. Without containerization when a system administrator encounters any of these situations and sends a remote wipe signal to the device the employee will lose all of their data, personal and work related, on their device without prior warning. Containerization allows us to only remotely wipe all company data from the device without modifying any of the personal data.
Another option that you can stack onto your security protocol is the ability to have geofencing. Geofencing allows employees to access specified data sets only from within a certain range of the office. This is often used for sensitive information.
I previously mentioned that it is our job to protect users from themselves. One of the final things that you will need to do is let them know what you expect from them. Create a procedure to follow if a user thinks that their device has been compromised, lost or stolen. Often times it is up to the user to notify you of a security issue with their device. Make sure that users read, understand and sign a written BYOD policy.
The BYOD space is still new for some, and a lot of companies still haven’t fully addressed the issues around it. It is best to first identify the needs of your client. What data needs to be accessed? How will you authenticate? How much control do you need over the device? Do you have sensitive data that shouldn’t be accessed when outside the office? Lastly, have you let the users know what you expect from them? Seek out the best options for the situation that you are presented with. Remember nothing beats having a written policy to accompany your technical one.