{"id":2783,"date":"2014-02-07T00:00:00","date_gmt":"2014-02-07T00:00:00","guid":{"rendered":"http:\/\/otava.test\/top-10-tips-for-securely-managing-byod-in-the-workplace\/"},"modified":"2014-02-07T00:00:00","modified_gmt":"2014-02-07T00:00:00","slug":"top-10-tips-for-securely-managing-byod-in-the-workplace","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/top-10-tips-for-securely-managing-byod-in-the-workplace\/","title":{"rendered":"Top 10 tips for securely managing BYOD in the workplace"},"content":{"rendered":"

Note: The following article is part of a shared content agreement between Online Tech and InfoSec Institute<\/a>. (View original post<\/a>.) <\/em><\/p>\n

For more BYOD <\/a>information, check out a replay of a past Online Tech webinar<\/a> co-hosted by Tatiana Melnik, an attorney concentrating her practice on IT, data privacy and security, and regulatory compliance, “To be BYOD or not to be BYOD: Is a Bring Your Own Device Policy Right for Your Organization?” We’ve also previously compiled some of the best <\/a>articles, white papers, webinars and other media that explains mobile data security and how to prevent compromised data in your organization.
\n<\/em><\/p>\n

The BYOD (Bring Your Own Device) phenomenon is expanding at an incredible rate. It is something that affects every business, from the smallest to the largest. How each business is dealing with BYOD ranges from complete apathy to a full embrace of it with sophisticated processes and controls in place to maximize employee productivity while minimizing risk to the business.<\/p>\n

The goal of this article is to give you the information you need to get control over how employees are using their own personal devices to access, store, and communicate business-owned information in the course of doing their jobs.<\/p>\n

Even if you\u2019ve never heard the term BYOD before, you are almost certainly aware of it.<\/p>\n

Until a few years ago, the way most businesses gave their employees mobile access to corporate resources such as email was to issue them a device, with Blackberry devices being very popular because of their strong central management capabilities. The company would completely control the configuration, use, and security of the devices because the devices belonged to the company.<\/p>\n

Recently the mobile devices that are marketed to consumers, which individuals are buying for their own personal use, contain sophisticated capabilities to do email, access documents over a network, run web-based intranet apps, and beyond. Employees having already bought such a device for their own personal use would much prefer to use that device for their business dealings rather than carry a separate company-issued device.<\/p>\n

\"Smartphone<\/a>
Smartphone Security<\/figcaption><\/figure>\n

The reason that BYOD is something you need to be aware of and to deal with is that the pressure from employees to support it will only continue to grow. If your company were to completely suppress BYOD by allowing only company-issued and owned devices and completely banning the use of personal devices, you will eventually not be able to avoid the fallout of your employee\u2019s frustration. Most employees are dedicated to their employer\u2019s goals and have the best of intentions and want to get their jobs done in the most efficient way possible. If you take away a popular means for increasing their efficiency, they will eventually be more attracted to other companies that are not as restrictive.<\/p>\n

But embracing BYOD for the sake of your employee\u2019s productivity and good morale does not have to mean simply swinging the barn door wide open and letting it be a free-for-all. There are steps you can take to put processes in place, and tools to enforce elements of those processes, that will allow your employees to use their personal devices to be productive while minimizing the security risks to your company. For more information on enterprise security and the processes discussed in this article, check out our Certified Information Security Manager (CISM) <\/a>certification program.<\/p>\n

Tips:<\/p>\n

1. Know who is accessing your network and your data<\/strong><\/p>\n

This seems obvious but needs to be said. Regularly review what accounts are active for your email service, your VPN, intranet applications with their own user databases, etc. Are there any accounts active for anyone that shouldn\u2019t have access (former employees, contractors, etc.)? Are there any accounts with unusual activity such as a high number of unsuccessful logins? Do you have any open access to business data that does not require any authentication?<\/p>\n

This is not necessarily specific to mobile devices \u2013 you should already be aware of all the openings on your network. This includes anywhere that someone may obtain access to corporate data, and you should be monitoring the access made by any type of endpoint.<\/p>\n

2. Know what data can be accessed remotely<\/strong><\/p>\n

Some information your company keeps that employees use for their job is not at risk of loss because it has no special value that would be compromised in the hands of outsiders. Other information is extremely valuable and must be guarded carefully.<\/p>\n

It is helpful to prioritize the relative risk of the data that can be accessed through each portal to the outside world. Obviously, you\u2019ll want to put more effort into controlling access to those places that have the most sensitive data and may want to put less effort, or even no effort, toward controlling access to places with low-risk data.<\/p>\n

3. Know how employee devices are configured<\/strong><\/p>\n

Mobile devices are of particular concern when it comes to corporate data because of their high susceptibility to physical loss. Any data that the employee rightly needs access to in order to do their job is a liability if the device were to fall into someone else\u2019s hands. In addition to the risk of their form factor, there is additional risk of data loss through electronic means. Vulnerabilities exist in all of the popular mobile device platforms.<\/p>\n

The most immediate and effective line of defense is to minimally ensure that each device that is used to access your network is properly configured to reduce the risk of data loss from that device. The appendix suggests some specific settings that should be checked, and there are a number of other sources that give specifics on safe configuration. But the most important part is that you are using some method to ensure that employees have their devices securely configured. This brings us to the next tip:<\/p>\n

4. Use a management and\/or audit tool<\/strong><\/p>\n

The most basic way to ensure that employees are safely configuring their devices would be to give them verbal or written instructions on how to do this and expect adherence to the policies. But there are potential problems with this approach:<\/p>\n

Employees, even the diligent ones, tend to forget about instructions \u2013 unless rigorous training is provided which makes the instructions become like second nature.<\/p>\n

They may follow the instructions after they are first communicated, but then forget about them over time and let their devices drift into more risky configurations.<\/p>\n

You\u2019ll have better piece of mind if you have a way of knowing for certain that your instructions are being followed, rather than simply trusting that they are.<\/p>\n

The best approach is to use a tool that can automatically report a device\u2019s configuration and help or force employees to keep them securely set. The best of these tools should give you good insight into how employee devices are configured and where they deviate from the policies you\u2019ve set for proper configuration. They should also aid in bringing employee devices in line with your desired configuration \u2013 either by guiding the employees to properly set their configuration, or by setting it for them.<\/p>\n

The tools most commonly recommended today are MDM (Mobile Device Management) tools. However, MDM tools are a somewhat heavyweight solution and might be more than what is needed for a lot of smaller organizations.<\/p>\n

There is an alternate approach that may be more suited to BYOD because it does not take control of the employee\u2019s device. This new class of tools provides Mobile Device Auditing, which reports on current device configurations, but does not take complete control of the device. These tools may be a more lightweight approach to getting a handle on BYOD devices and may be more popular with your employees.<\/p>\n

5. Communicate clearly with your employees<\/strong><\/p>\n

It is important that employees using BYOD are told clearly what type of monitoring and\/or control of their devices is being employed. For example:<\/p>\n