BYOD or Bring your own device policies are becoming more and more common, especially for contractors and people who work remotely. Many employees don’t want to have to carry two separate cell phones, do work in their own home on their own desktop, or have one laptop for both work and personal purposes. BYOD also has cost benefits for the company, and allows employees to, within reason, choose their own device and operating system. Employees tend to update their own devices more often than IT, especially if they are on an upgrade cycle with a mobile provider.
The downside to such policies is that they can compromise network security. The use of unapproved devices running unapproved software can open security holes that can endanger the company (or other employees).
The most common security concerns are:
- Employees using unapproved software or apps that might contain malware and compromise the entire network.
- Physical theft of the device (which is also a concern with company devices).
- Employees compromising the security of devices, for example by “rooting” smartphones.
- Loss of control over enterprise data, which may then leak onto the public web.
- Devices falling into the hands of people other than the employee, such as a spouse, friend, or even a child (who might cause problems inadvertently).
- Users practicing poor security practices, such as not properly locking devices or connecting to unsecured Wi-Fi.
Here are some tips for dealing with these and other security concerns:
- Have a clear BYOD policy, that is transparently written. Listen to employee concerns about privacy, productivity, and their ability to use their device for their own purposes when not at work. The policy should include any monitoring of employees (such as device location) and the reason such monitoring is needed. You should also make sure that any data which might affect an employee’s privacy is properly stored and protected.
- Require the use of two factor or multifactor authentication on devices. Far too many people rely on only a four digit pin, or nothing at all, to protect smartphones and tablets. Alternatively, if you are using mobile device management you can set it up only for that section.
- Use network access control to keep unapproved devices from connecting to the corporate network. This also prevents random people from “piggybacking” onto your office Wi-Fi and helps deter hackers. The reverse of this is to lock down the corporate apps if the phone is not on the premises or is connected to a different network.
- Make use of mobile device management. Some companies insist on setting up all smartphones to be remote wiped if they are lost, stolen, or an employee fires or quits. Unfortunately, employees are likely to balk at this idea, and will probably set up backups to ensure they don’t lose personal data, which can then include the data you are trying to protect. The solution is mobile device management, which sandboxes your applications and data away from the rest of the device. The data is encrypted, requires some kind of access method, and can be wiped without also wiping your employees’ contacts. (That said, employers should recommend that employees use a remote wipe on a lost or stolen device anyway, and many require the installation of remote wipe software).
- Devices should be registered and inspected by IT. IT should install enterprise level anti-malware software, ensure the device has not been rooted, and check it for apps that are known to be a problem. IT should also install or suggest the installation of software that helps find the device if it is lost. This is also a good time to provide education on device security.
- Ensure that employees have a method for backing up data stored on personal devices, including phones. If you are using MDM software, you can include routine backups in the installation to ensure enterprise data is properly backed up. Also make sure that employees know that their personal data is their responsibility, not yours, and have IT talk to them about backup options.
- Provide a blacklist of apps you do not allow. You need to be reasonable on this, bearing in mind that sometimes problem software can be pre-loaded onto devices (for example, some carriers now pre-load Facebook) and that pre-loaded applications cannot be removed without rooting the phone. It’s possible to code the network to disallow devices with blacklisted apps or that have been rooted or jail broken. Be aware that blacklisting all games (a policy some employers have) gives a huge incentive to get around the blacklist. The same goes for locking phones to a corporate app store that only provides enterprise applications. Providing access to a corporate app store, however, is a good idea if you need users to download a lot of specific software.
- Have a policy that allows you to require an app be removed if it turns out to be a problem. However, if audits show that a lot of people are installing an app, then you should look into why and what the alternatives are. In some cases, users can find a better solution on their own than IT had in mind.
- Educate employees on keeping their device up to date. Phones and tablets should run the most recent version of the software supported by their hardware. Apps should also be updated as needed. You might want to have a reasonable policy as to, for example, the earliest version of Android you will allow, bearing in mind that this might force some people to get new phones. You can even have IT check people’s phones a week or so after a new OS update is pushed to make sure everyone picked it up. (Unless the update has a known problem with it and you want to ask people to slow down).
- Provide at least some technical support to people who bring their own devices. The BYOD agreement should clearly specify who is responsible for what. A good example would be to provide software support and support for corporate apps, but have the employee be responsible for damaged hardware and cracked screens. You should recommend that employees get the extended warranty on new phones to cover device damage.
- Have a list of approved hardware. You might want to disallow older devices, for example any iPhone older than a 4. An employee who’s device is not on the list may be able to make a case for it (for example, smaller Android suppliers that you might not have been aware of).
- Have a policy that employees may only download apps from your app store or approved sources. Apps from unofficial sources (i.e., not Google Play or the App Store) are far more likely to have malware. Make sure to educate them on exactly why the restriction is in place, which will make them less likely to try and get around it.
- Decide who is responsible for paying for what. This is another good reason to put your official apps in your own app store. It is often easier to have employees pay for the contract and any app buys, and request reimbursement, rather than pay for stuff yourself then bill the employee. There are also solutions that allow you to lock down in-app purchases, generally intended as parental controls but useful if you are paying for the phone.
- Make sure that credentials expire after a period of time, and do not automatically authorize devices. Otherwise, you might have problems if somebody gives their tablet to their kid with a game on it to keep them quiet… Do not make assumptions as to who is connecting. Tablets in particular tend to be passed around to other people. Phones may also be passed around to show photos or similar, or loaned to a friend who’s battery has run out but who needs to make a call.
- Require that users who connect from remote locations connect to the corporate network via a provided VPN. It’s fairly easy to block unencrypted connections. (This should cover corporate devices as well). VPNs protect data and are also good for privacy, so they are easy to “sell” to employees.
- Educate employees on how to avoid being phished. Such basic practices as not clicking on links in unsolicited email or Facebook messages can go a long way towards keeping the network safe.
- Consider restricting some data to corporate devices on your premises. This is particularly worth considering if you have to worry about HIPAA or similar confidentiality legislation.
- Provide employees with only the data they need. HR does not need marketing’s targets, marketing does not need employee profiles, etc.
Companies need to balance security concerns with the very real privacy concerns of employees and users. Overly restrictive policies cause resentment, remove some of the advantages of having BYOD in the first place, and are more likely to be circumvented. Lax policies provide little protection. In the future, it is likely that developing virtual machine and mobile development management solutions will effectively allow employees to have two devices in one, with corporate data and applications separated from personal use. In the interim, the most important thing is to have a clear and transparent policy that everyone can be comfortable with.
For more information about network security, whether or not it involves BOYD policies, contact Applied Innovations today.