Should staff be left to their own devices?
Garrett O’Hara from Mimecast explains how organisations can better secure their network when employing a BYOD strategy.
The majority of companies (83 per cent) now have a bring your own device (BYOD) policy of some kind, according to recent surveys.
And while some companies do not have a policy in place, they need to realise some staff may still be using their own devices, such as mobile phones, to work from.
It’s an easy habit to get into because a mobile is like a connection that’s an extension of our hand.
Regardless of company decisions on this topic, policies around the use of employee devices should be comprehensive and made clear to employees, whether this is encouraging or banning the use of personal devices.
While people bringing their own devices to work is not a new phenomenon, networked devices have raised the stakes and, in IT terms, this phrase now refers specifically to instances where workers’ devices are connected to corporate networks.
Steps for security teams
BYOD devices hold both positives and negatives for the workplace, and it’s important for this to be managed with safety at the forefront. In short, BYOD is a good system if it is done right, so let’s explore both sides.
The positives to having a BYOD system:
- Cheaper running costs: having a policy that allows staff to use their own devices means lower outgoing costs for the company. This can potentially save time when onboarding new employees and make it easier for them to be able to work remotely when required.
- Productive employees: allowing staff to use their own devices can arguably make them more productive, as they are comfortable with using familiar technology.
- Quicker adoption of new technologies: another benefit to letting staff use their own devices is having a quicker adoption of new technologies in the company. This again will support the hybrid working environment, with newer technologies generally boosting new functions and updates making for ease of use.
The downsides to having a BYOD system:
- Increased risk of breaches: according to recent research by Mimecast, 8 out of 10 CISOs believe their company is at risk due to inadvertent data leaks by careless or negligent employees. BYOD holds the risk of increased breaches by mixing personal and professional uses, so it is important for businesses to have a robust, strategic policy in place.
- Blurred boundary: with access to both personal and professional platforms on one device, a blurred boundary is often created. It’s important for staff to feel like they are able to switch off after working hours, with the right to disconnect now being raised in discussions to avoid staff burnout.
- Privacy issues: lastly, some may feel an invasion of privacy when using personal devices for work activities, knowing that their employer can track their physical location and online activity when connected to corporate networks.
When these points are all considered and understood, security teams can build BYOD guidelines that work for the company to ensure staff can be left to their own devices safely without putting anyone at risk.
BYOD guidelines
Creating a BYOD policy can take time and it will likely change as new issues come up, however, here are just a handful of points to consider when putting together guidelines for staff.
- Require basic security standards, including the use of strong passwords with frequent updates, as well as having auto lock screens.
- Have a requirement in place about ensuring updates and patching is up to date.
- Have rules in places about personal use of the device during working hours.
- Have a clear outline around employee data obligations and any consequences that will come from breaches.
- Create a list of approved and banned applications, and preference for certain applications for work use — for example, WhatsApp is commonly used to share company information.
- Ensure you have a clear overview for employees stating how data is tracked, how policies are imposed and who owns different types of content on BYOD devices.
- Clearly lay out what costs will be covered by the company and technical support on offer.
- Have an offboarding process ready for any outgoing employees, ensuring any data and permissions are removed from devices, with companies having the ability to remotely wipe a device as part of a BYOD Acceptable Use Policy. This will also come to use in the case of misplaced devices.
Garrett O’Hara is the APAC field CTO at Mimecast.
iscover
Garrett O’Hara
