A BYOD Policy that Balances Employee Convenience and Network Security
The bring your own device (BYOD) movement is a force that is engulfing the corporate world. As the steam for its adoption builds, both enterprises and small businesses must prepare for an increasingly mobile workforce that wants to work anywhere and anytime, without sacrificing security.
When convenience clashes with security, network security is paramount. However, a well-written and strictly implemented BYOD policy can strike a good balance between the two. IT policy planners need to get answers to critical questions to address both employee needs and security concerns, now and in the future.
What devices are allowed?
The policy should clearly identify devices and operating systems the network can support and, thus, are allowed. Specific brands, breeds, series, models, and other type categories need to be named to preclude items with known vulnerabilities.
Equally important is a provision on what devices are not allowed. For instance, rooted or jailbroken devices are considered security-compromised as they are prone to viruses, malware, and hacking. Devices with outdated operating systems and patches are likewise not allowed because of their high vulnerability levels. Devices bought from manufacturers with generic security policies can also be a threat to the network. They should not be permitted in a BYOD program unless the devices are configured to meet the security requirements of the network support matrix.
What applications are allowed?
Companies should decide what applications can be included in their BYOD program depending on their specific security requirements. However, there is a growing concern over what applications employees can download to their devices that have access to corporate resources.
Social media browsing and email applications are common web activities that can expose mobile devices to vulnerabilities. Hypothetically, the new application of a major social media site may have a security hole that allows spammers access to the mobile device used by an employee. The spamming can then spread across the enterprise network. To prevent the downloading of questionable applications, the policy should include a list of applications that are not allowed, and mitigate risks by:
- Installing anti-virus programs on mobile devices
- Embedding security into mobile application development
- Managing applications both through an in-house system and a tested mobile application management solution
Is security tight enough?
Security is at the center of any BYOD policy. Risks relating to mobile device security are often caused by lost and stolen devices, increased data access, and lack of user security awareness. In a BYOD environment, the risk is accentuated when companies fail to set minimum security requirements or instill user security awareness. Securing employees’ devices should be a work in progress that includes:
- Evaluating and monitoring device usage and access
- Enforcing standard security policies like encryption, passwords, and remote wiping of compromised devices
- Certifying hardware, operating systems, and applications
- Implementing layered access to protect critical data and applications