Whenever you institute a new policy in your company, you'll experience some growing pains. That's especially true of policies involving IT or cybersecurity, as adoption is a challenge of its own. But given the vast, varied and constant changes in technology, changing your policies to keep pace with the global digital business environment is a must. "Bring your own device," or BYOD, is a perfect example.
According to Gartner, one out of two companies will not be providing their employees with devices by 2017. The emergence of BYOD policies necessarily follows, and, as is to be expected, the transition and the resulting behavior can present multiple security challenges. So, what can you do to keep security on track while you institute BYOD?
When done correctly, BYOD can save your company money, create added productivity and give your employees the freedom to work from anywhere. Given the numerous challenges it presents, what can you do to keep the demand on your department manageable, give your users peace of mind and protect your network?
Jennifer Allen, Twinstate's Red Team manager, calls an outside device "an X factor on your network." Not knowing if a device has already been breached, or if activities are occurring on the device that might affect your security or reputation, can be a little frightening. "It’s like adding a bridge to your network to the outside world. It immediately requires a higher level of stringency in developing and implementing policy," says Allen.
Because of this required stringency, and because your users will likely be attached to the personal nature of their device, getting buy-in from your employees is a priority. Overcome the challenge of addressing infractions by creating clear, written policies that outline every aspect of your team's control of any device brought into the building. That way, when you go to reach for the device to install a required update (for example), your employee will understand why.
Written policies and follow-through on enforcement plans will also help your employees bear their responsibilities in mind, and keep them involved so they aren't caught off guard.
As Allen says, "Having a policy is prudent to making sure the IT team can address issues on a personal device. If you walk up to someone and say 'give me your cell phone,' that’s not OK. If it’s a BYOD and it’s anticipated and a policy is in place, the admin has a lot more backing to do that."
These policies are intended to safeguard company assets, information and privacy, but still balance with the individual's ownership of the device.
"BYOD is blurring the lines of ownership between end user and the organization," says Allen. "It’s important to call out the lines."
What's scarier than your employee losing a device that has regularly accessed your network? When that device has no encryption and no two-factor authentication. A simple, effective solution everyone can get on board with? Require at least a PIN -- or, preferably, greater, stronger security features. Depending on the strictness of your policy and the nature of your business, you might also consider implementing remote wiping capabilities.
One of the greater challenges you'll face in BYOD implementation is the potential for introduction of malware while the device is on a different network, outside of your business. Because the device is, by its nature, the user's own, they will always have a right to use it elsewhere. Says Allen, "the intended fix becomes a potential panacea you cannot predict, unless you remove accessibility from the user's device," and that's not the idea behind BYOD.
Instead of eliminating the benefits of added productivity and remote capabilities, consider instituting policies that include a combination of mobile device management and network access control. With the NAC/MDM combo, you can use NAC to check for an MDM agent and ensure enforcement of MDM policies through NAC. In fact, as Gartner analysts predicted back in 2012, BYOD has really fueled the comeback of NAC.
Creating this control — and the success of your BYOD policy in general — always comes back to how much the person who purchased the device will allow you to do. Remember that getting and keeping them on board is a lot easier when your policies have been identified.
Most of the devices your employees will choose to bring to work have wireless, bluetooth, Near Field Communication (NFC) and/or cellular network capabilities. Users may have data or info stored on a laptop that conflicts with policies of the organization. They may have selfies that inadvertently contain Protected Health Information (PHI) on their phone. So the content of devices can become a nightmare in and of itself, opening up the organization to serious security or legal concerns.
How do you avoid this? First, and again, let the user know exactly what they're required to do and not do, and be clear about possible consequences. Knowing BYOD creates a constant balancing act between permission and allowance, Allen recommends creating a segmented network to keep your internal infrastructure protected from the beginning. You could create a completely segregated guest network specifically for BYOD devices only. That network should still constrain the activities the user can complete, though; you won't want employees running tax numbers on that network, even if it's separate.
Successful implementation of a BYOD policy is, admittedly, difficult, but creating a policy at all puts you ahead of the pack. Be sure to establish parameters and outline potential consequences of non-compliance, and get sign off to make the policy easier for employees to keep top of mind. Ultimately, written policies make BYOD rules easier to address with users, and policies instituted electronically make compliance enforcement less of a burden.