These days, most of us are waking up to a very different workday routine. We grab our laptop, tablet, and cell phone to sit down to work in our "offices" (spare bedrooms, dining room tables) and start the day. Who owns those mobile wireless devices - you, your company, or a bit of both?
Chances are the phone and the tablet are your personal devices loaded with personal information, while the laptop is provided by your company - even though you routinely use all of them for work purposes.
In most cases, only large enterprises supply their employees with all of their hardware, which might include mobile devices, laptops, workstations and maybe even wearables.
However, today the most common scenario is for employees to purchase, own and control smartphones and tablets that are used for both work purposes and personal use.
This is referred to as BYOD (Bring Your Own Device.)
Remember when there was a big push back from IT departments about supporting personal devices?
That was circa 2009 when "Bring Your Own Phone" was just starting to gain popularity, and many businesses went so far as blocking personal mobile phones from their networks and mail servers. Fast forward to today.
It’s expected, if not mandated, that the IT department support personal devices, using Mobile Device Management (MDM) software to allow employees access the company's sensitive corporate data all hours of the day and night from anywhere. The productivity gains can be huge, but they come at a risk!
BYOD Statistics in the U.S.
- 87% of companies rely on employees using their personal smartphones to access mobile business apps, services, and corporate networks
- Almost 50% of businesses require their employees to use their personal smartphones
- About 70% of companies say that they reimburse their employees in some fashion for BYOD, while only 29% of employees reported that they receive BYOD reimbursement for their data plan.
So while we could debate who is benefiting the most from this, there is one huge pitfall that has surfaced with the BYOD movement - lack of security training, practices and policies.
The biggest concern businesses have is the risk of compromising company data, whether by lost/stolen devices or by cyber-attacks and threats.
BYOD security risks need to be taken very seriously, and it's an unfortunate fact that most companies do NOT have a mobile device access policy in place.
What is a BYOD Policy?
A BYOD policy is a set of rules is a set of rules governing an IT department's level of support for employee-owned devices such as laptops, tablets and smart phones/SIM cards AND it outlines the responsibilities of the employees.
Pros and Cons of a BYOD Policy
Increased Costs. If a BYOD program is implemented correctly, the security measures that are necessary to comply with best practices for security will add to the cost of BYOD. This typically means purchasing mobile device management (MDM) software, which allows companies to remotely manage end user devices
Employee privacy concerns. Most employees have not been told about the risk of using personal devices at work. If the organization they work for is sued, their personal data may be at risk as well. Additionally, in many cases the company may have access to everything on the employee’s device, even private information, depending on the type of mobile management the company has deployed.
Increased risk of cyber-attacks. With the explosion of mobile device usage, hackers now have many more “attack surfaces” than before, such as introducing untrusted mobile apps that may be vulnerable or malicious. Personal devices are also very attractive to hackers because not only do they contain company data, but also personally identifiable information (PII) about the user.
Employee non-compliance. How many of us have avoided rebooting our devices after being prompted to update? Keeping mobile devices updated with patches and operating system upgrades is imperative for security reasons, but it’s difficult to enforce this without some sort of MDM solution.
Physical loss or theft. Now that our devices are not tethered to our desks, it’s incredibly easy to lose track of your smartphone, laptop or tablet. The true cost of a lost mobile device goes far beyond the price of replacement, thanks to lost productivity, loss of intellectual property, data breaches and legal fees. It’s been estimated that the average loss to a company exceeds $49,000 per lost or stolen device!
Getting Started with a BYOD Policy
Implementing a BYOD policy to protect both the business and their employees is basically a requirement today. Don’t rely on informal conversations and assumptions.
There is NO case where BYOD should exist without the following three components:
- A software application for managing the devices that are connected to the company network
- A written policy that outlines the responsibilities of both employer and user
- An agreement that users must sign acknowledging that they read and understand the policy
To help get you started with your mobile security planning, check out this BYOD policy that outlines the requirements for BYOD usage, and establishes the steps that users and the IT department should follow.
Key Policy Features
Your BYOD Policy needs to include employer and user responsibilities, a software application for managing the devices on the network, and a signed agreement stating that every employee understands and will comply.
BYOD use is growing every year, and most businesses believe it’s a good thing. After all, there’s no learning curve to the device your employees already own. They also have it with them all day every day, and probably have email notifications turned on all the time.
Without a good BYOD policy, you’re simply not safe.
What if something happens, and an employee’s iPhone manages to bring spyware onto your company’s network? Even if you can prove it, your case may be in legal gray area without a signed copy of the employee’s BYOD policy.
3 Key Tips and Best Practices for BYOD
Use secure messaging systems. You can protect your data behind secured data centers with state of the art security and on a network with all kinds of endpoint security, but if you’re transferring the data over an unsecure messaging channel, you’re still at risk.
With the 365 E3 license, you’ll be able to use Teams for all of your messaging. Video, audio, and text-based chat are all secured. Transfer files back and forth with full-time data encryption. All this in one cost saving package!
Even if you don’t want to use Office 365, the free version of Teams will at least give you a secure location to chat over text and securely transfer files. Don’t let something as simple as the channel of communication cost you your data!
Train your employees on mobile device security. No matter what your organization does, chances are, your employees don’t have enough cyber security training, which is an even bigger problem on mobile devices. Phishing emails affect every single employee in any business in the world. Without proper knowledge and training of end users, your business will eventually be the victim of a phishing attack.
Data breaches are becoming commonplace in our tech-based world. Costing an average of $3.5 million per breach, your company simply can’t afford the risk. The only solution to this problem is phishing prevention training.
With phishing prevention training, your employees will be taught what to look for in a malicious email, with interactive guidance, and even discrete random testing throughout the year with results reported directly back to you.
No piece of security software is going to keep you safe from untrained employees. The bad guys know this, and you should too.
Use two-factor authentication everywhere you can. These days, even your best password practices aren’t good enough for real data protection. You absolutely must use multi-factor authentication whenever it’s available.
Two-factor authentication (2FA, also known as multi-factor authentication or MFA) makes sure that only verified users can access online applications and accounts by requiring an extra layer of security, usually involving the user’s cell phone. Enter your password, verify from your cell phone, and you’re in!
Most accounts today offer some sort of multi-step verification process. Even your social media accounts can be enabled to confirm your identity through your phone number. Combining something you know (your password) with something you have (your phone) helps ensure that your accounts are safe.
With 2FA, a stolen password isn’t enough!
There are many other layers that are needed for robust cyber security protection across an organization, but a BYOD policy is a great place to start. Be sure to check out our complimentary BYOD policy below, and as always, reach out to us if you need IT consulting assistance as you move through the ongoing journey of protecting your business!