True or false: While the concept of Bring Your Own Device, or BYOD, has been around for a few years, adoption by some companies has been slow. False! As humorously depicted in the picture above (more on this later), BYOD is increasingly taking over the modern office. Is your MSP properly prepared? Are all of your employees on the same page?
We may want to believe that adoption is slow, but let’s take a look at any senior leadership team, and ask how many personal devices are connected to company email? If the answer is anything greater than zero, BYOD is active in that company and the security risks that accompany it need to be looked at. Not familiar with the security risks that are associated with BYOD and how implementing a BYOD policy can help mitigate them?
Risky Business – BYOD Security Issues to Address:
Mixing company and personal data
Company information such as contacts, email and attachments downloaded will be on the same device as personal contacts, pictures and files, which the user may not want the company to be able to access.
This is dangerous especially when company information needs to be removed or wiped from the device. How can IT determine what should be removed and what should not? A proactive BYOD policy must provide users guidance on how to separate and protect company data while maintaining personal privacy.
Minimal or no security
Without a BYOD policy, security options enforcing a passcode or password on a device, minimum length, along with expiration and history are not set. The device’s screen lock or idle timeout before auto-lock is not enabled. Additionally, the number of failed log-on attempts before device is wiped has not been set.
These are all crucial components of a sound BYOD security policy.
Lost or stolen
Devices are normally small in size and often left unattended where they can be forgotten by the owner or even stolen before the owner is aware that it is gone. You must set in place a system to remotely lock down and wipe devices so that sensitive information is not stolen or accessed by unauthorized individuals.
Jailbreaking or rooted devices
These devices enable users to gain administrator-level privileges, run applications or perform non-sanctioned functions unauthorized by the device and OS manufacturers. This results in weakening security protection mechanisms that would normally be enforced and updated by applying patches.
Concerns continue to increase as malware threats become more complex and infections are reported. Malware can be delivered via SMS text messages or downloading apps from unknown sources, which can be used to intercept communications as well as record audio, video and even take pictures without the owner knowing.
Importance of a BYOD Policy
Implementing a BYOD policy is critical to a business because it sets employee expectations and acceptable use guidelines when handling company information or connecting to network resources. A BYOD policy lists out what device models and minimum operating systems versions are supported by IT along with stating that devices that have been rooted (Android) or jailbroken (iOS) are not to be permitted to access corporate information and resources. The policy provides details on what company-own resources may be accessed using a device, as well as what information is not authorized – such as restricted or confidential information. A BYOD policy also covers functions and features of the device that are not authorized for use while at a company site, as well as approved repositories for downloading applications. Provide processes for separating company and personal data, and define situations in which IT is required to search or wipe a device.
Compliance with security policies is another component of a strong BYOD policy. This includes passcode or password protection, device locking when idle and establishing how many failed login attempts are needed before wiping the device. Additionally, you have to determine how this will be enforced, whether that be using Mobile Device Management or another mechanism to assure that company information will be secure.
Employees enjoy the freedom and flexibility of using their own devices at work as it improves effectiveness and increases productivity. However, not addressing the above security concerns with an enforced policy and awareness campaign could put company data at risk.
We had a lot of fun as you can tell in the SlideShare above, but BYOD is a serious matter that your company needs to address. We hope our stunt illustrates how mayhem ensues when you don't clearly define what your MSP business's policy is regarding BYOD. How have you responded to the BYOD craze? Have any suggestions for readers? Sound off in comments below!