Written by Steven Randall, Partner, Vonya Global
Today most people can’t imagine getting through the day without their mobile devices, and many employees expect to be able to use their personal electronics at work. In fact, even if your employees really aren’t supposed to use their own devices for work purposes, chances are good that they do so nonetheless. The officially recognized practice is called “BYOD,” or Bring Your Own Device.
The BYOD trend presents challenges for your company’s IT security department. BYOD computing policies may bring convenience, but they also create privacy concerns, fraud risks, potential data breaches and compliance violations, as well as the need for more detailed internal audits. It is crucial that management balance compliance and security with employee personal device usage and efficiency.
Assessing the Need for BYOD Policies
According to some studies, about 75 percent of all organizations already actively or passively engage in BYOD practices, but many businesses lack clear BYOD policies; a SANS survey of 500 IT executives showed that 31 percent of respondent companies have no BYOD policy at all. Regardless of whether or not your company has a BYOD policy, many of your employees probably use their personal devices daily with your company wireless, email, and other applications. Furthermore, your IT department may be unaware of the various personal devices accessing your networks: in the same SANS survey, less than 10 percent of respondents believed they were able to document all of the the personal mobile devices connecting to the company networks for which they were responsible.
Your business runs a very high risk of compliance violations, privacy violations, data breaches, and even fraud under these conditions. BYOD can bring real benefits through increased efficiency and convenience, but not without the proper IT security measures in place. Comprehensive BYOD policies are absolutely necessary to manage employee mobile device use and protect the company against attrition, lost or stolen devices, and malware.
Benefits of BYOD Policies
BYOD policies increase security by defining usage parameters. They also provide other benefits for your business.
When employees are able to quickly move from personal applications to company applications and have easy access to your organization’s systems, your business is likely to benefit from increased productivity. This is particularly true during off-peak times such as weekends and after hours. Senior managers in particular tend to use their company’s technology more frequently when they have access to mobile devices. In a sense, BYOD is a motivational strategy.
Employees appreciate the freedom to use their own devices. This affords them more control over their work day and corporate environment. BYOD therefore improves employee retention. It is also attractive for potential employees.
Decreased Equipment Costs
Typically workers prefer their own devices, which reduces the cost of company equipment. It may also lower your data usage charges and IT costs, since employees usually have a better understanding of how their devices work and do not need technical support as frequently as their peers.
What To Address With Your BYOD Policy
Your employees may already be accessing vulnerable areas of your network with their personal devices. When establishing a BYOD policy, be sure to cover the following areas.
Define Privileges and Expectations Clearly
A detailed BYOD policy should clearly indicate actions that are permitted and those that aren’t, as well as the consequences for violating policies. Specify devices and exact purposes. State the permissions the business retains in case the device is lost or stolen or in case of termination. Communicate that the organization reserves the right to wipe all corporate data and applications, but clarify that the company will not access personal applications. You also need to layout steps your company will take to avoid wiping personal files.
Ensure Industry-Specific Compliance
For many businesses, BYOD presents special compliance challenges. For example, healthcare organizations have a host of government and industry-specific regulations. The electronic health record (EHR) mandate and HIPPA regulations necessitate that healthcare organizations maintain tight security, but banning the use of personal devices is often unrealistic. According to Health Management Technology approximately 70 percent of IT specialists and physicians already access electronic health records using mobile devices. Employees using personal devices improperly, especially when accessing client information, can subject businesses to serious penalties.
Identify Current Risks and Gaps in Security
At the outset of your BYOD implementation process, your IT security team should assess the extent to which employees are using personal devices and any security or compliance measures already in place. Assess the support available for personal devices and the degree to which your company can support all major platforms (Apple, Android, Blackberry, and Microsoft).
Risks of BYOD
Although embracing the BYOD trend has many benefits for companies, there are risks that accompany this trend. The three main risk areas are as follows.
Security of Personal Mobile Devices
Greater security risk comes with more devices, especially with a more diverse range of devices in use. The same set of security protocols must be applied to many different operating system and hardware combinations. To ensure that your IT security department is fully prepared to deal with BYOD concerns, it must be ready to deal with lost and stolen devices, employees leaving the company, employees who cannot access their own devices for whatever reason, and employees who are not sufficiently aware of security risks posed by their access of company data via their devices. Two additional serious risks are from malicious applications or malware that can introduce security holes into your company’s server and security vulnerabilities within applications your company uses to allow access to corporate data.
Sexting and Sexual Harassment
Forty percent of adults age 34 and younger admit to “sexting,” otherwise known as sending sexually explicit text messages. If an employee does this on company time, with a co-worker, or in a professional context, the transgression is equally egregious as more traditional forms of sexual harassment. You need to make your employees aware of electronic misconduct and the consequences of their behavior.
By now we all know that texting, emailing, using social media, or even talking on the phone while driving can be dangerous — and if your employees do any of those things while on the clock, your business might be liable. The Centers for Disease Control (CDC) reports that almost 70 percent of adult drivers in the U.S. up to the age of 64 drive while talking on their cell phones in a given month. Make sure to educate employees on the dangers of driving while distracted, and make sure they know not to use company devices.
Social Media Mayhem
Even if you block your employees from using sites like Facebook and Twitter on your network, they may log on using personal devices. If your business has a BYOD policy, any damaging social media activity from employees can hurt your company. This means that inappropriate comments posted on Facebook or a photo of an employee committing a crime on Instagram can be used as evidence against a company; a plaintiff need only show that the personal device was used sometime to perform work.
Increased Management Efforts
BYOD mandates greater organizational efforts from your IT security team in several key ways. Your team must work harder to keep a detailed inventory of active mobile devices and to maintain up-to-date software for each mobile device in use. Your IT department must also implement training to support all devices in use, including those that are not properly maintained.
Plan a Step By Step Implementation Process For Your BYOD Policy
First, your IT security experts should determine what company data needs protection. Determine which personal devices will be supported and which must be excluded. Seriously consider excluding all “jailbroken” or “rooted” devices; these have fewer carrier-imposed limitations on downloadable applications and files, and this makes them vulnerable to more security risks. You may also consider limiting BYOD access only to employees with justifiable business reasons for accessing the company remotely, although it is worth noting that many employees may access the company nonetheless.
Next, your IT security team should define security requirements carefully. Then, ensure your team trains all employees in your new BYOD policy and secures employee authorization to wipe devices remotely as needed in case of a security breach; this should be a condition to accessing company systems. Your IT security team must also monitor all employee devices for compliance on an ongoing basis.
After implementation, your IT team must maintain these security standards. The company should closely control wireless internet access. Consider using cloud infrastructures to maximize security and minimize data transfer. Wireless SSID cannot be broadcast, WPA2 should be used on the router, and access should only be provided to employees using MAC address filtering in the router. Ensure that all employees have anti-malware and encryption software on their personal devices, and require startup PINs of maximum lengths and timeout settings of ten minutes or less. Use mobile tracking, remote data wiping, and mobile device management software.
BYOD computing gives rise to increased privacy concerns, fraud risks, potential data breaches and compliance violations, and the need for more detailed internal audits. However, it can also reduce employee attrition, increase productivity, and boost morale. Management can balance compliance and security with employee personal device usage and efficiency by implementing a smart BYOD policy.
This blog post was authored by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit co-sourcing, outsourcing, and consulting services; a member of the Institute of Internal Auditors (IIA) Chicago Chapter Board of Governors; a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research; the President of the Oz Park Baseball Association, a not-for-profit organization dedicated to providing fundamental based baseball in a safe environment in the city of Chicago; and an Advisory Board Member of the Chicago Youth Baseball Initiative, a University of Illinois at Chicago community group dedicated to providing Chicago youth with the opportunity to play baseball in a fun and safe environment, while offering educational experiences on a world-class college campus. Steve was recently named The Institute of Internal Auditors’ Chicago Chapter’s New Member of the Year. If you would like more information about Vonya Global or if you have a question for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.