From the perspective of an employer, Bring Your Own Device, or BYOD, sounds like a dream situation. Your employees provide the equipment that they require to do their work, saving you money and the hassle of purchasing and setting up the equipment for them. However, BYOD is in fact one of the largest headaches that’s faced the IT industry for many years.
The first question that any company who wishes to implement a BYOD policy is how will they control their company data. Usually, and work completed by an employee during company time is the intellectual property of the company, not of the individual. When this data resides on company equipment the control of it is relatively simple, the device is owned and controlled by the organisation and the employee has the responsibility of looking after it. However, when the data is on an employee’s personal equipment the level of control that the company has is greatly diminished. If the employee leaves the employment of the company, how does the business gain access to the device to ensure all data is removed? How can the business ensure that the device has current security software to safeguard the information? What happens if the device fails and everything stored on it is lost, does the employee carry out backups? There are many questions that need to be considered prior to implementing a BYOD policy within an organisation.
How can a business safeguard its information?
When a business implements a BYOD policy there are two main considerations that need to be taken as company data will be stored on a non-company device.
Access to Data and Backups
When data resides on a non-company device, there may be issues with regards to sharing the data between employees. For example, a file stored locally on a laptop probably will not be available to anybody else on the company’s network, and as such to share with a colleague the file would have to be emailed or placed in a different location, such as Dropbox, to allow access. Both of these avenues have an element of risk, a sharing service like Dropbox is susceptible to security threats, such as the recent Heart Bleed threat. Although email is relatively secure, there’s always the risk of human error when typing in the recipient’s address.
When considering the security of company data anti virus and anti malware is another topic that’s very important. Enterprise systems usually run a comprehensive suite of packages to protect the data from viruses and malware, in the case of BYOD, does the user’s device have the same level of security?
The final element of any good data storage system is a comprehensive and well tested backup solution. For enterprise systems the common standard is to have a combined local backup, either to tape or external hard drive, and a cloud backup solution as a backup to the backup. In the case of BYOD, if the data is stored locally on the employee’s device, is there a valid and tested backup system, does the backup system comply with company standards, and is it to the standards to the Data Protection Act of the country where the company’s located? For example, an employee who uses Google Drive or Apple iCloud as a backup solution will have a copy of your company data on servers in the USA, for regulated industries this may not comply with the regulator’s requirements.
Safeguarding data if the device is lost.
A common story on the news is that of a lost pen drive holding a vast amount of sensitive data. This in itself is a nightmare for the company as the data may be accessible by third parties who use it for illegal purposes. As part of good practice, every staff member of Telemat’s parent company, Antur Teifi, who requires a pen drive is provided with a hardware encrypted drive, which without the user’s password will not allow access to the information stored upon it. However, when looking from a BYOD perspective, it’s important not to assume that the user uses a device with the same security facility. If, for example, the device is a smartphone of a senior staff member, anybody who finds the device may have access to sensitive email and such information. A simple way of protecting against this scenario would be to have a passcode on the device, however, this cannot be enforced in the same way in a BYOD situation.
If you decide as an organisation to implement a BYOD policy, why not take a look at our 10 tips on a successful BYOD implementation.
1. Solidify password policy
You’re going to have a lot of users using devices on your network that will also be taken nearly everywhere. You do not want weak passwords, such that they can be easily ‘hacked’ and give access to your company data to the wrong people. For this, you need to instate a strong password policy across the board. Also, make sure you require regular password changes. Your end users will balk at this; but, in the end, it will be worth the security gained. Those complaining end users will need to know why this new policy has been put in place.
2. Require device registration
Each and every device brought into the company will need to be registered. What you should get from that registration is: Device type, carrier (if applicable), MAC address, and user. With this information you are better armed to track down users who are abusing the new BYOD policy. With the MAC addresses of devices, you will be able to block offending users from using your network.
3. Limit supported platforms
When you open the floodgates to BYOD, you can easily wind up having to support Windows, Linux, OS X, iOS, Android, Blackberry, ChromeOS, and who knows what else. This can place a burden on your staff that is unnecessary. Instead of risking this, decide which platforms you plan on supporting and make this list known to the end users of the company. If users bring in unsupported platforms, do not allow them on the company network. If you use a support provider, such as Telemat, discuss with them what can be supported under your existing contract, you may find it works out more cost effective in the long term to supply your employees with equipment.
4. Educate your employees
Employees need to understand the risks involved with BYOD. They need to know how important it is to keep anti-virus and anti-malware up to date. They also need to know how best to keep data secure on their devices and that they should never use those devices on unsecured networks. Their education could easily become a class in Mobile Security 101. But better take the time in the front end, than wind up dealing with the ramifications of having an end user unwittingly open your network up to exploit.
5. Expand your infrastructure
Your end users are going to be taking up more bandwidth. This means more powerful wireless is going to be necessary. Instead of dealing with a bottleneck on the network, make sure you’re using equipment that can handle the load. Do not rely on consumer grade wireless routers. You will also need to make sure you have a large enough incoming pipe to allow for the extra traffic coming in from end users working from various locations.
6. Tighten up network security
Your network will need to be locked down. Period. This means you cannot safely rely on built-in firewalls across the board. Purchase a hardware-based firewall (such as a Cisco, Sonicwall, or Fortinet) and make sure you get it up to speed quickly. You will also want to make sure all domain admin passwords are solid and that all security patches are applied to servers.
7. Create a company cloud
Instead of having remote users (using their BYOD devices) accessing your company infrastructure, you could create an isolated cloud (or even use Google Docs) in order for those users to easily (and safely) access the files they need to work on outside of the LAN. If you don’t need a full-blown solution like Google Docs, purchase a business-class Dropbox or SpiderOak subscription and allow those users access to that, of course, this is dependent on your industry regulator allowing data to be stored in such a manner.
8. Audit your network
You need to know what’s on your network – down to every piece of hardware. Before you unleash the BYOD hounds, do a full audit on your network so you are completely aware of every device on site. This way, when new devices start popping up (and causing problems), you’ll be able to better pinpoint the issue
9. Redefine your support policy.
BYOD could cause you to spend more time supporting end-user devices than you have to spare. You need to rewrite your support policies to include end-user devices. The policy needs to specify: Which platforms you support and to what extent you support said platforms. It should state that you are not financially responsible for end-user devices, that you will only allow/support devices that follow company guidelines, and that you do not support/troubleshoot carrier-related issues… anything that protects you and your company from being abused by BYOD.
10. Define accepted applications
There are going to be a lot of applications used on your network – from social networking tools, to games, to chatting… you name it. You must define the type and titles of applications that you will support and/or allow on your company network. You cannot allow yourself to get into a position where you’re having to troubleshoot why an end user’s tablet isn’t streaming music from Spotify.
Of course, there is a simpler way of implementing your BYOD policy, contact us here at Telemat and we’ll guide you through the process and help you support this new way of working.