Bring your own device: security measures for personal devices in the workplace

BYOD security best practices

Any BYOD policy worth its salt will cover these elements:

• Permissible device types
• Acceptable use: what apps and assets can employees access from their devices?
• Minimum requirements for device security controls: what safety measures will the company require for BYOD devices?
• Company-provided components: for example, SSL certificates for device authentication
• Company rights concerning the modification of the device: for example, remote wiping in the event of a device’s theft or loss
• What happens to company data on the devices of employees leaving the company?
• Who owns the apps and data on the device? Will staff be reimbursed by the company for apps or monthly fees?
• What support will IT render to device owners?

The following provisions will need to be considered by policymakers so that the best options can be delivered:

• Common sense rules: a limit to personal calls and video at work, no use when driving
• Maintenance and upgrades: any finalised policy should ensure that employees reliably keep devices and apps up to date
• Data transfer provisions: company data should be encrypted and password protected, and only transferred on company-mandated applications
• Password provisions: password use is obviously non-negotiable in protecting sensitive information; two-factor authentication may also be required

Privacy provisions: how can companies balance data protection and employee privacy with BYOD?

BYOD security policy

How best to go about devising coherent and secure BYOD practices? Any policy drafting of this scale should involve both employees and stakeholders. Employee input can be obtained through a survey, a great basis for planning policy. Execs, HR, IT operations, finance and security should all be looped in and represented in a BYOD project management team. These departments have contributions to make.

Once a survey has been sent out and responses received, beneficial analyses to make include which data and apps are needed on employee devices. After introducing the completed policy, training is a vital stage of the process. Employees at all levels must be instructed on data handling protocol, device troubleshooting, the procedure for lost or stolen devices, which apps to use and anti-phishing measures, as well as broader instruction in vigilance against cyber threats.

It is widely believed that employees untrained in cybersecurity are the greatest hazard to organisational data integrity. In 2014, 87% of IT managers believed that the biggest threat to organisations were mobile devices used by careless employees. In 2020, a startling 96% of attacks on mobile devices used apps as a vector. This is because a supermajority of apps, nearly 4 in 5, embed third-party libraries that can create vulnerabilities.

Which apps should a company that is implementing a strong BYOD policy use? A study found that employees use five or more apps every day. Organisations should include a dedicated secure messaging platform, email, CRM and whichever other apps they feel their employees will need. Make sure that apps which could be liabilities are explicitly off-limits.

Organisations should also have specific procedures in place for employees who leave the company, for whatever reason. When an employee leaves, an organisation must ensure that all data is taken off their devices, and any access to company apps is similarly withdrawn. However, this duty presents many difficulties and is often considered reason enough to abandon BYOD policies and provide their own devices.

A policy is only as strong as the ability of a company to enforce it, which unfortunately requires that there be consequences for those who cannot abide by the policy. Any policy should have specific details concerning the tracking, measurement and enforcement of accountability distributed so that all team members are aware. Lack of oversight is one of the major issues for BYOD implementation. Companies need enough IT support staff to get employees set up, with ongoing support and monitoring.

After systems and protocols have been secured, organisations should prioritise education for employees. If a BYOD is to succeed, impressing the importance of acceptable use and basic data security hygiene upon employees is essential.