BYOD is not only about the device!

bigstock-The-words-Killer-Apps-on-an-ap-28380320Officially, BYOD means “Bring Your Own Device.” From an employee’s viewpoint, it means “I get to use my own device instead of the crappy one that my company will supply for me.” And from a business’s viewpoint, it means “I get to save money by making you buy your own device.” This might sound like a win-win. But there are a number of things that have to be thought through before embracing the BYOD world.

Allowing BYOD means an employee is accessing company data on their own device, and bringing it with them when they leave work. This raises the possibility of theft, whether by a pickpocket on the train or a disgruntled employee him- or herself.

There are 87 operating systems or variations of operating systems available for mobile devices, including phones and tablets. The main ones, IOS and Android, also have numerous versions still in production. So any operating system needs a dedicated application for that system. The use of applications that are available for these systems alone can be a huge problem with managing versions and operating systems, which makesIT security even harder in the BYOD world.

Follow the following steps to ensure a safe transition to BYOD.

BYOD Policy

Create a policy, and make sure that everyone who brings their own device is aware of it. The policy should include explicit indication of who owns the data that an employee accesses in the course of doing their job. What data can be stored on the device, and what happens if it is lost?

There are three main areas that have to be thought through when creating a policy:

  • Risk: What is the risk that information will be on the device when it is lost or stolen? What is the risk of the device having the information compromised through outside access to the device?
  • Compliance: What compliance rulings exist in your industry about which devices can be used and what information is stored and accessed? This will have an impact on the BYOD requirements of the business.
  • Governance: What industry and national requirements are in place regarding the information being accessed from the device? For instance, in medical and financial circles there is a high level of compliance to protect the information on the device. Just by storing client information on their iPad, an employee may be violating the law.

Planning for BYOD

One of the hardest components of BYOD is working out how the policy will be implemented. Rolling out BYOD across the organisation can be challenging. Get the planning wrong, and the rest of the process will have monumental problems. You must educate employees and make sure they know the rules about type and uses of device before they start downloading client files (and viewing them on that insecure coffee shop Wi-Fi connection)—not after.

Internet connections outside the home can be poorly secured. In most cases, employees should be required to get permission before using their device for work outside of the office. And if a device has company data on it, the employee should never let anyone else use it—not even family.

Employees should only store company information on a special password-protected section of their device (often referred to as Mobile Device Management software MDM). Another possibility is installing apps that do not allow information to be stored on the device.

How will you be sure that employees are installing the correct MDM software, along with adequate antivirus protection? Many companies require that employees hand their devices over to IT for software installation before they begin using them.

If information will be stored on the device, be sure it can it be wiped from a second location. That’s another reason company data should only be stored on a company app.

This will allow the company to delete the data, even if a disgruntled employee quits in a huff.

Whatever policies you choose, you must be sure every employee fully understands them before bringing their device to work.

Implementation of BYOD

After you inform your employees, the next step is the rollout. Are you going to do a systematic change to BYOD, or are you going to do it as phones and tablets need to be replaced and new contracts are signed? A systematic change may allow you to educate and inform everyone all at once, but a gradual rollout may be less chaotic and more manageable. Either way, it’s important to plan ahead and control the process.

What Happens When They’re Gone?

One of the least thought through components of BYOD is: What happens when people leave? Your policy must cover this aspect of the business. Protecting the intellectual property that is your business’s lifeblood is a lot harder when the user is using their own system.

Your policy might require that the employee hand over their device to the company’s IT department temporarily to have all your IP wiped from the device and the applications.
Vast numbers of businesses are now facing the BYOD dilemma. For many, it is the right choice. But either way, they must make protecting their data their first priority if they want to stay in business.

Further Reading

The integration of BYOD and BYOA

Employees requesting to use their own devices for work purpose

It looks like BYOD is here to stay

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.