These days all businesses large and small need to have a BYOD Policy in place. A BYOD Policy alone won’t protect your communications, Intellectual Property, or your network but it should outline employee practices that lower the likelihood that a breech will occur.
It’s hard to keep the C-suite from using their iPad Pro for work, especially while traveling. It’s just easier! It’s just as difficult to get a new hire millennial to use a company issued iPhone… God forbid it’s not the latest version and brand new. They make a great point, a newer and fully updated device should be more secure than older devices.
Here are 7 elements that you’ll need to consider when putting together your BYOD policy:
- The employee exit – Whether an employee leaves on their own or are asked to leave, you’ll want back whatever info they have about clients and intellectual property. There are ways to simply wipe data with O365 and more comprehensive tools that you can reach out to us to discuss. Either way, you’re going to want to develop a plan starting with the worst in mind (a rogue employee looking to take your data, ideas, and log-ins) and create a plan to protect yourself.
- Acceptable devices – Devices aren’t equally effective or secure. Defining a set of parameters for your BYOD policy that speaks towards devices is important. Mobile Device Management platforms like IBM’s MaaS 360 is more flexible on Android devices but more secure on Apple devices. Additionally, you’ll want to define what browser to use e.g. Safari, Internet Explorer, Firefox, or Chrome. Taking advantage of cloud technologies like VDI can create a homogenous platform across your organization. Click here to learn best practices for incorporating cloud services into your BYOD environment. You’ll also want to consider reimbursement policies for employees using their own devices for work.
- Firewalls and Antivirus – Employee laptops that have old anti-virus software that hasn’t been upgraded will put your network at risk. Similarly, if you don’t set up your firewall properly you can put your employee’s devices in jeopardy. Network based firewalls are an awesome compliment to traditional premise based firewalls. Assigning quantitative values to potential data breaches will help you define both your BYOD policy and security strategy. How much will it cost you if you can’t log into your network or if an employee steals your customer list? Both employee and employer responsibilities should be defined clearly.
- Websites and Applications – Now that you’ve outlined what devices will be interacting with your data over your network, you’ll want to define what applications and websites are cool and which are NSFW. Some apps request information that you may not want your employees sharing, like contacts. The last thing you want is that rogue employee adding a key customer contact to their inappropriate SnapChat or Instagram. With security concerns on the rise from the plethora of recent hacking incidents including banks whose websites have been spoofed, you’ll want to be clear with employees, as well as, with your firewall settings. Should employees save information to their device or do you have a central storage system set up? Click here for more on data storage in a BYOD environment. Ideally, you’ll want to segregate personal and private data as much as possible.
- Assigning Permission – Every employee doesn’t need access to all of your information. Defining what team or individual is responsible for and has access to certain data will allow you to manage and mitigate risk. A system of checks and balances should be created so that information isn’t silo’d in one area, and inaccessible to key decision makers. For example, only the network admin should know your firewall password but, in case that person is let go or “gets hit by a bus” (God forbid but it is something to consider), there must be someone else that has that information and can change passwords immediately if necessary. If you’re a sole-proprietor, you’ll want to keep those passwords handy and set up alerts if changes are made.
- Human Resources – Now that you’ve secured your network and data with tangible steps in your BYOD Policy you’ll need to look at things from less of an IT perspective and more of an HR perspective. How invasive is your monitoring allowed to be? How do you determine if Intellectual Property created by an employee on their device should be company property? How do you handle hourly employees that have second jobs in a similar field where work may overlap? Most device management platforms allow for monitoring tools and storage that can easily keep work-related and personal items distinct.
- Legal – Where does the liability lie? We all love our lawyers (Maybe a hint of sarcasm) and here’s where they’ll need to be involved in the process. Earlier I mentioned that there are two pieces to the puzzle. The employer can put an employee at just as much risk as the employer. Think of the incident when an organization’s data isn’t secured allowing hackers to steal employee social security numbers, birth dates, and other key personal information. A BYOD Policy is not effective unless its written down and agreed to, via signature, by both parties. I’d even go as far to say NDAs and non-competes should be incorporated into your company’s BYOD Policy.
Today, everyone is vulnerable. The lists of recent attacks are crazy! Dude, HBO Got hacked and they stole the Game of Thrones episode with the Dragons fighting White Walkers! #GOT – The list of hacks also includes the various departments of government, Equifax, Target, Instagram, Red Cross Blood Service, and the list goes on. Check out a cool visual list of the largest data breaches and hacks here. As this is happening, users expect things to work seamlessly, securely, and flexibly to include their devices on your network. How will your BYOD policy be written to make your business less vulnerable to loss of secure data to hackers and employees gone bad?
So now that you know how to put together a BYOD Policy, the questions is, how will you enforce it? Will you be proactive and use the correct tools to keep your company and employees safe from cyberattacks and security breaches? Without the right tools in place you’re really leaving this up to trust and the recourse that law allows. If you need help evaluating what measures you can take using the latest technology, please contact us here.