Managing BYOD: Best practices
BYOD is dying. It’s not that people no longer bring devices to work. It’s that everyone brings their devices to work. Whether you use BYOx (bring your own everything) to describe this phenomenon or some other term, there are important concerns to be addressed.
For example, will you be providing devices to all employees, some employees (e.g., managers and executives) or no employees? How will user-owned devices connect to the network and how do you ensure personal and corporate data separation? What about company-owned devices and who owns, and thus has free access to, the data stored on them? And what happens when a device with company data or the ability to connect to the company network is stolen?
The answer lies in a comprehensive mobile device management policy, a way to easily add and remove data and network access from mobile devices, and an ability to safeguard enterprise data through two-factor authentication and sandboxed applications.
Supplied vs. BYO
Supplying some or all employees with the mobile devices they need is the fastest way to resolve security issues: the phone or tablet is completely under the control of your IT department can be locked down to corporate use only and can be wiped on demand if required.
Drawbacks include the expense and the employee’s degree of understanding that the device is not theirs. Initial awareness that it’s a corporate device is high, but the longer it’s in someone’s possession the more they tend to forget. This can lead to confusion, with non-business contacts, photos, etc ending up on the device and potentially problematic downloads (e.g. games that may not be benign from a security standpoint). Data confusion in itself can lead to privacy concerns and with the introduction on new controls such as the European GDPR proposals, companies to have well thought out policies in place to manage these devices.
One problem is that most companies’ corporate IT policies were written so long ago that they don’t cover today’s working environment in which employees regularly access enterprise systems from home and from the road, sometimes from multiple devices. The best way to mitigate risk around supplied devices is to have users read, understand and sign a comprehensive policy that outlines who owns the device, what use is allowed, what is not allowed and the consequences for not following the company’s rules.
Advantages to having employees use their own devices for work include potentially lower costs and convenience for employees, such as not having to carry two devices.
However, there are a multitude of potential security and data management pitfalls. The company email system and enterprise systems must be securely accessed, company data on the phone must be secure and strict data migration policies must be in place (i.e. don’t transfer company data to an insecure location). Finally, the company must be able to lock and then wipe the device should it be stolen.
Let’s go phishing
There are two main security issues with mobile devices: malware and phishing. Protecting against phishing is, first, a matter of employee education. Although it’s sometimes difficult to identify a phishing message (the email may appear to come from the employee’s legitimate contact), making employees hyper aware of abnormalities in emails can go a long way toward reducing risk.
Protecting against malware is strictly the responsibility of IT -- often, the user is unaware that their device has been infected. It’s essential to use a robust threat detector and to keep devices updated with the latest OS, the latest patches and strong anti-virus applications. This requires enforced application deployment and monitoring as well as automated patch management across the device estate.
Here are further steps to consider:
- Use an identity access management solution that provides two-factor authentication. This prevents thieves from using a cached password on the device from accessing your enterprise data.
- Move to encrypted email, since cloud-based email is a prime target for thieves looking to capture sensitive data.
- Create and maintain access control lists that define which users, devices and apps can access which areas of the network, thus limiting the areas a compromised device can access.
Building a sandbox
An excellent way to protect mobile devices, regardless of who owns them, is to sandbox as many applications as possible -- securely separate them from the operating system as well as other applications. For example, instead of using the mobile device’s built-in email application to connect to corporate email, IT installs a sandboxed email application. The app lets the users read and respond to emails online rather than downloading email onto the device. Access to mail can be controlled remotely and the application can be disabled or removed on demand.
There are currently sandboxed applications for contact databases, email and documents. The uses are different, but the principle is the same: access data/documents online so they are never downloaded onto the phone. The download and security of sandboxed applications happens via a mobile device management solution that allows IT to easily delete the apps from a corporate or personal device if lost or from a personal device when someone leaves the company.
The ability to delete business-related apps from an employee’s personal device and to completely wipe all data from a stolen device is essential to every company’s security. It’s critical to set up procedures that consider every circumstance, including:
- An employee’s personal device with company data/access on it was stolen
- An employee’s corporate phone was stolen
- An employee gives notice: IT needs to ensure he/she no longer has access to company systems after last day of employment
- An employee with a personal device used for business suddenly leaves the company
- And the big one -- the children of an employee cannot accidentally access or delete corporate data when given the phone to play games on.
Today’s technologically complex, highly mobile world dictates a multi-pronged approach to mobile device management that includes:
- A flexible, frequently reviewed mobile device management policy that is understood by all employees
- A strong mobile device management system that lets IT quickly and easily act in the case of a security breach or device theft
- Protecting enterprise systems by using sandboxed applications on mobile devices
Ian van Reenen, vice president of engineering, endpoint products at Autotask.
Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.