The BYOD (Bring Your Own Device) phenomenon has become incredibly popular in recent years and had a direct impact on every business. Some organizations react with indifference while others are fully supportive, handling the issue with sophisticated management systems geared to maximize employee productivity while simultaneously minimizing the security risk.
Here are 10 tips that will help minimize those risks:
1. Know who has access to your network and data
Keep track of, and regularly review, all of the accounts that are actively using your company’s email service, Virtual Private
Network, intranet applications, user databases etc. Be on the lookout for any suspicious activity (employees attempting to access data they are not authorized to, frequent unsuccessful login attempts, late night activity). These security measures are not only applicable to mobile devices, but all entry points into your network.
2. Identify and classify data that can be accessed remotely
Not all company data is created equal and it’s important to classify your company information according to the relative risk associated with it. Some data holds no special value if it fell into outside hands, while other data needs the utmost protection. Identify important data files that are remotely accessible through each outside portal and establish the necessary protocols to keep that information safe.
3. Know the configuration of your employees’ devices and incorporate your company’s security requirement.
It’s not uncommon for mobile phones to be lost and for the data on the device to be compromised. Not only that but if the device is in use and not properly maintained, vulnerabilities could pose as an additional risk. Every device allowed access to a company network should have basic security settings in place as a first line of defence.
These basics include a lock screen, not allowing rooted devices to access the network, keeping applications up to date, avoid storing credentials in plain text, and disabling development features such as USB debugging and mock locations. The main point here is that basic security standards are in place to act as a barrier to the common points of entry.
4. Make use of tools to manage and/or audit your employees’ BYOD.
The simplest way to make sure devices are securely configured is to provide employees with mandatory instructions on how to do so. This approach is not bulletproof, however, and there are a few issues that can arise: The guidelines may be forgotten, and there isn’t a check point to see if the instructions have been followed.
So use an automated tool that can report the configuration of employee devices. These tools, aside from reporting configuration, will give insight on where the configuration strays from your guidelines. Many tools will even put the configurations in place or walk the employee through the process one step at a time.
Mobile device management (MDM) tools to this, but they are a somewhat heavyweight solution and might not fall in line with a small budgets. An alternative, and more subtle, solution is a mobile device auditing tool that reports on device configuration status.
5. Be transparent concerning your use of tools.
If you plan on using a tool, be sure to let your employees know that you’re not after their personal data. Clearly lay out what data will be monitored, the specific settings that will be modified, how the information collected from the devices will be used, and what the retention period of the data will be. You will likely need them to sign a formal agreement that clearly lays out this information.
This agreement should also let employees know what their responsibilities will be. These commonly include maintaining the security configurations of their devices,reporting suspicions activity and reporting lost/stolen devices immediately etc.
6. Make sure that the tools used don’t intrude into the employee devices’ privacy.
Keep in mind that employee devices are still their property. Thus, there is a need to balance the devices’ settings in a way that will satisfy both parties’ needs. It should be noted that the majority of MDM systems place the device in their full control. Obviously, most employees would prefer if their employer did not have access to their GPS locations, personal text messages, and email accounts. Allowing full control over personal devices can sometimes result in employee pushback and in situations like this, a Mobile Device Auditing tool might be a
better option.
7. Plan to handle a data breach.
BYOD reduces risk, not eliminates it entirely. Although the tips above have helped you identify
the areas with the highest risk, and minimize it, it’s imperative to create a written plan of action if a data breach does occur. This plan should act as guide and at a minimum include the person/s who need to be notified and the changes that need to be made on affected devices.
8. Perform a regular audit of your employees’ BYOD management procedures.
Regularly revisit all of the procedures suggested in the above tips. Some aspects of your information systems are time-sensitive, as well as subject to changes to meet prevailing business policies.
9. Plan for Compliance
It’s already common practice to report on compliance to internal auditors as well as outside authorities with regulations such as Sarbanes Oxley, HIPPA and PCI. The majority of companies already do this for their traditional servers and desktop endpoints. If your company is following procedures similar to the ones outlined in this article, you will be well prepared.
10. Enjoy a greater peace of mind
Implementing these types of procedures will entail a lot of planning, effort and financial resources, but it will eventually pay off. The systematic reduction of the danger of data loss will please your company’s executives, and your efforts will encourage employees to perform their jobs efficiently having seen that you are supportive of their success.
John Fox has over 20 years of professional experience designing and developing enterprise software solutions. He is a security researcher for the InfoSec Institute.
