Ask an Expert
Planning the right solution requires an understanding of your project’s security goals. Let Kingston’s experts guide you.
Ask an ExpertAny company where employees can bring smartphones, tablets or personal laptops to the workplace needs a bring your own device security policy (or BYOD policy, for short). Nearly every employee brings an Internet-connected device to work. Even if this device is not actively connected to a company network, it can still present security risks.
Using a personal device for something as innocuous as sending a work email can create vulnerabilities in an organisation’s network. Organisations of all sizes find BYOD security challenging because companies must exert some control over smartphones and tablets owned by their employees. After all, 40% of data breaches are caused by lost or stolen devices. However, in cultures that place an emphasis on personal liberty, policies such as these can meet resistance or resentment from employees. A delicate but firm approach to this issue is best.
What can companies do to improve their cybersecurity in these conditions? One option is to prohibit BYOD entirely and enforce this policy rigidly. However, the global BYOD market is large and growing. The 2022 market was estimated to be worth $350 billion. The work-from-home trend catalysed by the pandemic has expedited its growth. The alternative is to lean into the practice, while enacting common-sense BYOD policies and security, to make it safer for both companies and employees. Most companies find this to be the easier of the two options to implement, not that a sensible BYOD policy does not require effort and consideration.
BYOD means that, nominally, companies spend less on hardware and software for their employees. 82% of companies allow employees to use personal devices for work. 71% of these employers find it allows people to be more comfortable when using devices, since they are most familiar with their personal phones. 58% find that it is more productive. However, only 55% find that it reduces costs. Why the discrepancy? Likely because out of the companies whose security policies permit BYOD, a startling 50% experience data breaches via employee-owned devices. No wonder that 26% of companies that oppose the adoption of BYOD policies cite security concerns as their prime reason.
Any BYOD policy worth its salt will cover these elements:
The following provisions will need to be considered by policymakers so that the best options can be delivered:
Privacy provisions: how can companies balance data protection and employee privacy with BYOD?
How best to go about devising coherent and secure BYOD practices? Any policy drafting of this scale should involve both employees and stakeholders. Employee input can be obtained through a survey, a great basis for planning policy. Execs, HR, IT operations, finance and security should all be looped in and represented in a BYOD project management team. These departments have contributions to make.
Once a survey has been sent out and responses received, beneficial analyses to make include which data and apps are needed on employee devices. After introducing the completed policy, training is a vital stage of the process. Employees at all levels must be instructed on data handling protocol, device troubleshooting, the procedure for lost or stolen devices, which apps to use and anti-phishing measures, as well as broader instruction in vigilance against cyber threats.
It is widely believed that employees untrained in cybersecurity are the greatest hazard to organisational data integrity. In 2014, 87% of IT managers believed that the biggest threat to organisations were mobile devices used by careless employees. In 2020, a startling 96% of attacks on mobile devices used apps as a vector. This is because a supermajority of apps, nearly 4 in 5, embed third-party libraries that can create vulnerabilities.
Which apps should a company that is implementing a strong BYOD policy use? A study found that employees use five or more apps every day. Organisations should include a dedicated secure messaging platform, email, CRM and whichever other apps they feel their employees will need. Make sure that apps which could be liabilities are explicitly off-limits.
Organisations should also have specific procedures in place for employees who leave the company, for whatever reason. When an employee leaves, an organisation must ensure that all data is taken off their devices, and any access to company apps is similarly withdrawn. However, this duty presents many difficulties and is often considered reason enough to abandon BYOD policies and provide their own devices.
A policy is only as strong as the ability of a company to enforce it, which unfortunately requires that there be consequences for those who cannot abide by the policy. Any policy should have specific details concerning the tracking, measurement and enforcement of accountability distributed so that all team members are aware. Lack of oversight is one of the major issues for BYOD implementation. Companies need enough IT support staff to get employees set up, with ongoing support and monitoring.
After systems and protocols have been secured, organisations should prioritise education for employees. If a BYOD is to succeed, impressing the importance of acceptable use and basic data security hygiene upon employees is essential.
Security solutions that should be considered for inclusion in a BYOD policy include:
Monitoring tools for data location and data access patterns, for detection of suspicious behaviour such as access from insecure or suspicious locations (e.g. North Korea).
One method of providing better security for BYOD systems is issuing encrypted USB flash drives and encrypted SSDs to employees. More economical than providing phones or tablets for an entire workforce, and considerably more straightforward than containerising every device that a workforce brings on-site, data stored on these devices is much better protected than on the average device. With sufficient quality encryption, a thief who can obtain an encrypted drive cannot make any headway to access privileged data.
#KingstonIsWithYou #KingstonIronKey
Planning the right solution requires an understanding of your project’s security goals. Let Kingston’s experts guide you.
Ask an Expert