Reducing security risks when staff uses personal equipment for work
When it comes to work, employees are often more comfortable using their own devices from mobile phones to laptops. It can also mean cost savings for employers when they don’t have to pay for additional computers or phone lines for their staff. This is also especially timely given that so many people are now working remotely outside of the office due to COVID-19.
While there are benefits to allowing your employees to utilize their own devices for work purposes, there are also security risks as well. Here, ORAM Corporate Advisors takes a look at how businesses can diminish the security threats associated with the trend of bring your own device (BYOD).
Develop a BYOD Policy
If you decide to allow employees to utilize their own devices for work tasks, you need to develop and implement a BYOD policy for your workplace. Start with outlining which devices employees can use for work under which circumstances. This policy should also cover what types of information can be accessed with personal devices and how different types of information should be stored.
Be sure to include any stipulations about how and when employee devices should be utilized for work purposes and be sure to outline any restrictions. Finally, outline whether employees are eligible for partial or full reimbursement for BYOD devices such as mobile phones.
Synchronize File Saving & Instate Email Resilience
One of the most effective methods for ensuring data security is to use file synchronization. This can be done using Dropbox, a Box account, or other software. This ensures that if a device is breached, lost, or stolen, extortion attempts can be thwarted. With synchronized file saving, the data can still be accessible for work purposes, which assists to ensure business continuity.
Another security measure you can take to protect your business against BYOD threats is to instate an email resilience program. Targeted attacks can use malware to gain unauthorized access to your network which can be easier for hackers when your employees are using their private devices for work purposes. By instating an email resilience program, you can help protect your business data on both company-owned and BYOD technology.
Decide Who Is In Charge
In addition to the aforementioned BYOD policy guidelines, your policy should also include who is responsible for various aspects of BYOD use. Determine who is responsible for providing support for BYOD devices. Consider issues such as regular security updates and repairs for a damaged device. Does that fall on your IT staff or the employee who owns the device? If it is covered by your IT staff, what hours are they able to provide support? Who will be in charge of device administration and management?
Be sure to outline what the employee’s responsibilities are including what they can and cannot do with their device in regard to their work. For example, can they loan it to another employee or friend? What apps can they use to access company networks and data? What should they do if a device is lost or stolen? How do they shut down and dispose of an old device that may harbor access to the company network or data?
Require Certain Security Settings
Though the device may not be owned by your organization, if an employee is using it for business purposes, you can require employees to use certain security settings on each device. Every device should employ a password to unlock it. This can be a complex password, code, or pattern, or the use of biometrics such as a face or fingerprint. The security on each device should also be set to wipe it if too many incorrect passwords or biometrics are entered.
Another smart security setting to add to each device is a customized display message in the event a device is lost. For example, you may require employees to add a lock screen message that reads, “If found, please call (XXX) XXX-XXXX.” Each BYOD should also utilize encryption, especially for removable storage cards that may contain business data, as well as anti-malware protection. Educate your employees about apps that may pose a threat that should not be downloaded on the device while it is used for work purposes.
As with all businesses, ORAM highly recommends including ongoing employee education about cybersecurity. This is just as imperative for BYOD. Train your staff regularly about security threats and ways they can reduce the risk of a data loss that can damage your company’s reputation or bottom line. Teach them how to find a lost device whether it’s an Android or Apple product. Share best practices for their devices as well as tips for using them for work. Your IT department or ORAM can conduct these trainings, which should be held at least every quarter if not on a monthly basis.
Employ Mobile Device Management
Ask your IT department or contact ORAM Corporate Advisors about which mobile device management (MDM) software they recommend for controlling BYOD devices in your workplace. With the right MDM in place, your business can have a centralized means for establishing controls and settings for BYOD. Such MDM can allow you to determine which devices can connect and access company networks and data, block applications that could put your business at higher risk, and can restrict the use of cameras and microSD cards.
Another great thing about utilizing MDM is that you can review mobile device usage, connections, and operating system details. If a device hasn’t connected for a given amount of time, you can remove its ability to access your network and data. This will also be helpful should an employee leave the company.
Have a Plan If Something Goes Wrong
Your company needs a plan in place to deal with data breaches on a BYOD just as you would if the device had belonged to your business. Whether a BYOD encounters malware, there’s a data breach, or if it is stolen, you and your employees need to know how to handle it immediately. Make sure employees know to take any device they believe has been compromised to your IT department as soon as possible.
When to Avoid BYOD in the Workplace
There are some industries that are more heavily regulated by the government than others. For example, the financial, healthcare, and manufacturing industries tend to be more heavily regulated and, therefore, require even tighter security than a mom and pop bicycle shop.
If the security risks for your industry are too high or if it is heavily regulated, it’s best to put the kibosh on BYOD and provide company-owned devices to every employee. The money spent on devices for each staff member will pay for themselves in better security and regulatory compliance.
Should your business need assistance with developing and implanting a BYOD policy or with IT support, contact ORAM Corporate Advisors today at (617) 933-5060.