Organizations that plan to embrace the recent wave of workers bringing devices from home can benefit from the natural productivity gains of having users’ preferred devices accessing corporate systems. However, there is serious risk and the considerations below should be evaluated carefully prior to introducing your employees’ smart phones and tablets to your technology infrastructure.
There is a broad range of considerations to be evaluated before establishing a BYOD policy. It pays to assess all of the following topics with care prior to embarking on a BYOD policy for your business. We recommend that detailed policies and guidelines are put in place and communicated to all employees who will take part in the BYOD program.
Since devices like smart phones and tablets enable access to locally-stored data like email, your approach to Information Security on these devices is critical. The following items should be determined prior to implementing a BYOD policy:
- Ensure your Information Security Policy addresses the management of remote devices and the type of information allowed on these devices. The policy should also establish procedures on dealing with non company owned devices that access company information.
- Ensure you have expiring passwords on a regular basis and strong password authentication, as personal devices are more likely to be accessed by non employees.
- Establish a strong audit process to ensure that the Information Security Policy and Procedures are effective.
- Have a standard policy to de-commissioning devices when an employee leaves the company.
- Be careful that the enablement of remote devices does not create general network security vulnerabilities.
Device and User Eligibility
Determine the employees eligible to be supported in your BYOD policy. Careful balance needs to be applied to the number of employees that should participate and the predicted productivity gains that would be achieved. Items to consider include:
- Develop an access policy based on geography, role or management approval
- Develop an access policy to a fixed set of corporate applications or data
- Minimize the number of devices the company will support per employee
Be clear about who can BYOD, what devices are allowed/not allowed and how does one obtain approval (if required). Decisions on eligibility will have a significant impact on the level of risk of BYOD to your organization.
End User & Device Support
Problems may arise by introducing new device connectivity to your network and systems. The company policy should be clear about the level of support an end user should expect. Setting these expectations before your support lines fill up with calls you may not be equipped to handle is paramount.
- Clarify specific applications and situations the company will support
- Specify what users should do themselves before reaching out for support
- Create a BYOD Users guide to document all access and support guidelines
Acceptable Use of Approved Devices
Once access is granted for a user and device, clearly communicate what constitutes acceptable use of the device while connected to your network, applications and data.
- Device sharing policy for employees that have access to corporate applications and data
- Restrictions on internet use when users are not accessing sites through the corporate VPN
- Specify the applications and data that approved users can access via their own device
It is important to strike a balance between flexibility for your employees and the potential risk of inappropriate usage by the approved user or someone else.
The risk of data loss in a BYOD-friendly organization is real (as are the benefits of BYOD), so it is critical to define the right risk mitigation policies. It is important to consider the issues outlined here, and any unique ones that are specific to your business and industry.
For more information about the implementation of a BYOD policy or security-related questions, contact Superior Technology Solutions. We look forward to sharing our extensive technology background with your organization. For more information, visit us on the web at www.SuperiorTechnology.com or call us at 845-735-3555.
Comments are closed.