It seems like everyone is working remotely these days. Even those of us who don't still end up doing some sort of late night or weekend work outside of the office. The devices we're using, those personal cell phones, tablets, and laptops, are handling sensitive data, and they need to be protected.
Personal devices no longer hold only personal info. We're all carrying around a treasure trove of business data. Without a BYOD policy, you must assume that your business data is vulnerable.
Table of Contents
What is BYOD?
Today the most common scenario is for employees to purchase, own and control smartphones and tablets that are used for both work purposes and personal use.
This is referred to as BYOD (Bring Your Own Device.)
Remember when there was a big push back from IT departments about supporting personal devices?
That was circa 2009 when "Bring Your Own Phone" was just starting to gain popularity, and many businesses went so far as blocking personal mobile phones from their networks and mail servers. Fast forward to today. The BYOD trend has spread to every industry.
It’s expected, if not mandated, that the IT department support personal devices, using Mobile Device Management (MDM) software to allow employees access the company's sensitive corporate data all hours of the day and night from anywhere. The productivity gains can be huge, but they come at a risk!
What is a BYOD Policy?
A BYOD policy is a set of rules governing an IT department's level of support for employee-owned devices such as laptops, tablets and smartphones/SIM cards AND it outlines the responsibilities of the employees.
BYOD Statistics in the U.S.
- 87% of companies rely on employees using their personal smartphones to access mobile business apps, services, and corporate networks
- Almost 50% of businesses require their employees to use their personal smartphones
- About 70% of companies say that they reimburse their employees in some fashion for BYOD, while only 29% of employees reported that they receive BYOD reimbursement for their data plan.
So while we could debate who is benefiting the most from this, there is one huge pitfall that has surfaced with the BYOD mobile movement - lack of security training, practices and policies.
The biggest concern businesses have is the risk of compromising company data, whether by lost/stolen devices or by cyber-attacks and threats.
BYOD security policies need to be taken very seriously, and it's an unfortunate fact that most companies do NOT have a BYOD security policy in place.
Pros and Cons of a BYOD Policy
Increased Costs. If a BYOD management program is implemented correctly, the security measures that are necessary to comply with best practices for security will add to the cost of BYOD. This typically means purchasing mobile device management (MDM) software, which allows companies to remotely manage end user devices
Employee privacy concerns. Most employees have not been told about the risk of using personal devices at work. If the organization they work for is sued, their personal data may be at risk as well. Additionally, in many cases the company may have access to everything on the employee’s device, even private information, depending on the type of mobile management the company has deployed.
Increased risk of cyber-attacks. With the explosion of mobile device usage, hackers now have many more “attack surfaces” than before, such as introducing untrusted mobile apps that may be vulnerable or malicious. Personal devices are also very attractive to hackers because not only do they contain company data, but also personally identifiable information (PII) about the user.
Employee non-compliance. How many of us have avoided rebooting our devices after being prompted to update? Keeping mobile devices updated with patches and operating system upgrades is imperative for security reasons, but it’s difficult to enforce this without some sort of MDM solution.
Physical loss or theft. Now that our devices are not tethered to our desks, it’s incredibly easy to lose track of your smartphone, laptop or tablet. The true cost of a lost mobile device goes far beyond the price of replacement, thanks to lost productivity, loss of intellectual property, data breaches and legal fees. It’s been estimated that the average loss to a company exceeds $49,000 per lost or stolen device!
Getting Started with a BYOD Policy
Implementing BYOD policies to protect both the business and their employees is basically a requirement today. Don’t rely on informal conversations and assumptions.
There is NO case where a Bring Your Own Device Policy should exist without the following three components:
- A software application for managing the devices that are connected to the company network
- A written policy that outlines the responsibilities of both employer and user
- An agreement that users must sign acknowledging that they read and understand the policy
To help get you started with your mobile security planning, check out this BYOD policy that outlines the requirements for BYOD usage, and establishes the steps that users and the IT department should follow.
Key Policy Features
Your BYOD Strategy and Policy needs to include employer and user responsibilities, a software application for managing the devices on the network, and a signed agreement stating that every employee understands and will comply.
BYOD use is growing every year, and most businesses believe it’s a good thing. After all, there’s no learning curve to the personal device your employees already own. They also have it with them all day every day, and probably have email notifications turned on all the time.
Without a good BYOD agreement and policy, you’re simply not safe.
What if something happens, and an employee’s iPhone manages to bring spyware onto your company’s network? Even if you can prove it, your case may be in a legal gray area without a signed copy of the employee’s BYOD policy.
3 Key Tips and BYOD Best Practices
Use secure messaging systems.
You can protect your data behind secured data centers with state of the art security and on a network with all kinds of endpoint security, but if you’re transferring the data over an unsecured messaging channel, you’re still at risk.
If you’re using Microsoft 365, you should be taking advantage of Microsoft Teams.
With the 365 E3 license, you’ll be able to use Teams for all of your messaging. Video, audio, and text-based chat are all secured. Transfer files back and forth with full-time data encryption. All this in one cost saving package!
Even if you don’t want to use Office 365, the free version of Teams will at least give you a secure location to chat over text and securely transfer files. Don’t let something as simple as the channel of communication cost you your data!
Train your employees on mobile device security.
No matter what your organization does, chances are, your employees don’t have enough cyber security training, which is an even bigger problem on mobile devices. Phishing emails affect every single employee in any business in the world. Without proper knowledge and training of end users, your business will eventually be the victim of a phishing attack.
Data breaches are becoming commonplace in our tech-based world. Costing an average of $3.5 million per breach, your company simply can’t afford the risk. The only solution to this problem is phishing prevention training.
With phishing prevention training, your employees will be taught what to look for in a malicious email, with interactive guidance, and even discrete random testing throughout the year with results reported directly back to you.
No piece of security software is going to keep you safe from untrained employees. The bad guys know this, and you should too.
Use multi-factor authentication everywhere you can.
These days, even your best password practices aren’t good enough for real data protection. You absolutely must use multi-factor authentication whenever it’s available.
Multi-factor authentication (also known as two-factor authentication or 2FA) makes sure that only verified users can access online applications and accounts by requiring an extra layer of security, usually involving the user’s cell phone. Enter your password, verify from your cell phone, and you’re in!
Most accounts today offer some sort of multi-step verification process. Even your social media accounts can be enabled to confirm your identity through your phone number. Combining something you know (your password) with something you have (your phone) helps ensure that your accounts are safe.
With MFA, a stolen password isn’t enough!
There are many other layers that are needed for robust cyber security protection across an organization, but a BYOD policy is a great place to start. Be sure to check out our complimentary BYOD policy below, and as always, reach out to us if you need IT consulting assistance as you move through the ongoing journey of protecting your business!