BYOD is “Bring Your Own Device”. It is a practice of allowing employees to use their personal devices (phone, laptop, desktop, tablet) in a professional context.[1] Traditionally, a company's employees purchase their own equipment for the purpose of using it for professional purposes, with or without the support of the organization's IT function. The uses are varied, but generally consist of accessing emails, contacts, calendars, documents, web apps, various applications, collaboration tools and other business systems.
With the proliferation of personal devices, the reduction in user fees and the democratization of the use of these devices, “BYOD” is today a major trend in the world of technology. According to a survey carried out in 2013, nearly 60% of workers accessed data related to their job via their smartphone or tablet. On the other hand, only 1/3 of companies had implemented management tools and processes for the use of these devices.[2]
There are several benefits for a company to encourage employees to use their personal devices to access organizational data and systems, including:
- “BYOD” facilitates teleworking, which promotes a better work/life balance;
- Employees are happier and more satisfied. They use what they love – and what they have invested their hard-earned money into;
- Employees do not have to deal with their employer's budgetary challenges, which is often a relief for them;
The “Bring your own device” trend, however, comes with its share of problems. Indeed, companies that have adopted the “BYOD” practice must manage and support a variety of mobile devices (different brands and models) running different operating systems (iOS, Android, Windows, etc.). They face big challenges in terms of support, security, control and management of the mobile fleet. The problem of managing employees' professional lives versus personal lives is also part of the equation.
As an SME manager, what should you do to limit the risks associated with BYOD? Here are the nine best practices to implement for healthy management of personal devices in your business.
- Implement a remote access and use of personal devices policy and disseminate it to employees
Implementing a remote access and use of personal devices policy will guide the conduct of your employees. This policy includes in particular the list of accepted devices, rules on securing devices (activated security code), the definition of an adequate and secure password (Lower case, upper case, number, special characters, etc.), this which can and cannot be downloaded via the company network, etc.
Although your employees use their personal devices, it is important to remind them that this use is done in a work context and that for the sustainability of the organization, rules of conduct and use must be dictated. Make sure employees have read and adhere to the policy.
- Building an infrastructure optimized for BYOD and mobile devices
Creating a separate network for personal devices allows for better management of network traffic and greater control over data flowing to or from those devices. This separate network also facilitates the authentication, in accordance with the principles dictated by the usage policy, of devices that connect to the network and thus eliminates unauthorized access.
- Establish a process to manage the departure of an employee
Whether it is voluntary departure, dismissal or even death, the departure of an employee must be managed adequately. It is important to ensure that an employee does not take organizational secrets with them. To do this, actions must be taken, often even before the employee leaves. This process will indicate what to do in such cases.
- Implement access and identity management
Access and identity management is used to initiate, capture, record and manage the identity of users and the access granted to them. Specialized tools are available to implement such a policy and manage authorizations in an automated manner. Automated management ensures that access privileges are granted based on a single interpretation of the policy and that access will be properly authenticated, authorized and audited.
Access and identity management improves security while reducing complexity and limiting many of the risks usually associated with heterogeneous environments. A rational approach to access to corporate data and systems should include an access control policy, structured separation of roles and single sign-on.
Implementing access and identity management significantly reduces the risk of a security incident even as your employees use their personal devices more and more frequently.
- Protect sensitive and/or personal information
Information is the lifeblood of organizations these days. Data on your customers, your markets, your products, your suppliers, everything is now computerized and can be the target of a competitor or a simple malicious hacker. The use of personal devices increases the risks associated with accessing sensitive data. This is why it is important to ensure that the data the company has is properly secured. Who hasn't read about the theft of banking information, patents or manufacturing techniques?
- Monitor and record all activities
For a variety of reasons, it may be necessary to know what activities occurred during a given period of time on your corporate network. For example, to trace unauthorized access or confront an employee about use prohibited by the use policy. Implementing activity monitoring and recording tools is essential to maintaining control of the organization's networks and systems.
- Separate corporate data from personal data on devices
In an ideal world, business data is separate from personal data. One way to achieve this is to create a partitioned workspace on personal devices. This way of doing things avoids mixing personal information or applications with corporate ones and helps reduce the risks that could lead to sensitive data being compromised.
Furthermore, in view of the law on privacy, the organization must not have access to the personal information of employees. Adequate mechanisms must therefore be put in place to prevent any access.
- Implement remote device wiping
You must be prepared to face any eventuality. Theft or loss of a device is common these days. If sensitive data ends up on the device, the company must be able to take appropriate actions to prevent this information from ending up in the wrong hands. Implementing a tool that allows remote wiping of data on the device is a perfect example of this type of measure.
- Encrypt data on devices
Adding encryption to devices is an effective way to protect data from loss or theft. Today there are tools allowing centralized management of encryption policies based on the notions of users, groups and data sensitivity. By encrypting data on personal devices, organizations can drastically reduce the risks associated with the security of data on them.
If you would like to share your thoughts on this article, simply reply to this message or email us at info@6dt.ca . We look forward to reading your comments.
[1] Wikipedia
[2] Ovum's 2013 Bring-Your-Own survey of 4,371 employees in businesses in 19 countries