Allowing employees to work on their own laptop or mobile phone can boost morale and productivity but is it worth the security risk? A BYOD (bring your own device) policy is a cost effective way to give employees more autonomy and control over their work experience. It allows employees to have a more flexible schedule, work more efficiently (Mac users don’t have to make the awkward, time consuming transition to a PC and vice versa), and work remotely, opening up the job pool to a wider range of potential candidates and increasing employee retention.
Related post: Are Macs Really More Secure Than PCs?
These are all great benefits of adopting a BYOD policy but the downside could cause real damage to your company. As we outlined in a past post about the internet of things, the convenience of a connected world comes with a price. As it relates to your business, the more devices you allow to connect to your company’s network, the more at risk you are of a data breach. Fortunately, you can mitigate that risk with a smart plan in place. If you’re considering opening the door to personal devices, we have some actionable tips for creating a comprehensive BYOD policy.
What to include in your BYOD policy
To protect your company from a data breach, creating a comprehensive BYOD policy is crucial. This policy should be read and signed by all employees using personal devices and should be updated regularly as IT security recommendations evolve. Here are 9 steps to creating a comprehensive BYOD policy that will reduce the risk of a data breach:
1. Register and authorize each device
When you decide to allow employees to use personal devices for work-related activity, first and foremost require that each device is registered and authorized for use. This allows you to implement preventive measures, such as IT access to the device in the incident of a data breach, saving your company from a network-wide hack.
2. Install Mobile Device Management (MDM) Software
Now that every employee’s personal device is registered, install MDM software to give your IT department access. If there is a data breach, IT may revoke access to the network on these devices and if the device is lost or stolen, IT has permission to clear all data from the device in order to protect company data. MDM software also allows you to manage the device’s application settings, ensuring data is encrypted when an employee uses an outside messaging app. Last but not least, it ensures that when an employee is terminated, you have the ability to revoke access to the company server.
3. Create a secure company app
In an article on the Digital Guardian, Klaus Brandstatter, Managing Director of HOBsoft, suggests providing a “company-issued mobile app that uses an encrypted connection to communicate directly with corporate servers, granting employees a convenient, user-friendly mechanism for secure remote access.” This means the employee can access their work contacts, email, calendar and notes all within the password-protected app. Furthermore, the data is only on the device while the app is active so that if the device is stolen, there’s no sensitive data available to hack. It all remains safely on the company server.
4. Require two-factor authentication
When logging into the company network or database, you should require two-factor authentication to improve security. This way, even if a hacker figures out the password, there’s a second layer of security to get through that requires access to yet another device.
5. Review password guidelines
Make sure your employees are familiar with and implementing the most current password guidelines. Setting strong passwords should be standard practice in your company for work email accounts, access to the company network, database, and any other work-related platforms.
6. Invest in a VPN
You should also lay out policies for how to connect to Wi-Fi when accessing the network remotely. We recommend investing in a paid Virtual Private Network (VPN) for employees working remotely. If your company already has an existing VPN infrastructure, make it mandatory that remote workers use that VPN when connecting to Wi-Fi outside of the office. A VPN provides an encrypted connection between the employee’s device and your company server, allowing the employee to securely connect to a public internet connection.
7. Centralize your data
In order to avoid employees downloading company documents and sharing information through insecure outlets, store all company data centrally and grant access to active employees. This will eliminate the need for employees to store company data on a personal hard drive or smartphone. Keep data in the cloud and make it convenient for employees to access so they’re not tempted to download the data to a more flexible program.
8. Limit access
Centralizing your data makes it much easier to provide access to employees but you don’t have to allow everyone to have access to everything. For example, Jerry from HR doesn’t need access to the financials and Sharon from finance doesn’t need access to sensitive HR docs. This selective access prevents a hacker from gaining access to all your company data in the case of a breach.
9. Educate employees about phishing scams
Phishing and spear phishing attacks target both large and small-scale companies. These attacks use an email sent from a trusted sender to lure the victim into clicking a link to a malicious website or downloading an infected attachment. Preventing a data breach starts with educating your employees. Make sure they know how to recognize a phishing scam with KnowBe4, a training tool we use at Pagoda to improve cybersecurity across entire teams.
10. Keep software up to date
When employees fail to update their operating systems, software, and apps, they make themselves vulnerable to malware. Updates include the latest security patches (a software update that corrects a vulnerability in the system) which protect against cyberattacks.
Creating a comprehensive BYOD policy is an important first step towards protecting your company against a security breach. The next step is ensuring all employees understand the policy and how to implement it. Lastly, you need to effectively enforce the policy. This requires monitoring your employee’s activity with the MDM software. If you notice an employee violating any of the terms of the BYOD policy, you have the opportunity to provide further education and training before revoking access to the company network. You may feel strange monitoring an employee’s personal device, but the alternative is opening your company up to a major data breach.
Have more questions about implementing a BYOD policy in your company? We’re happy to talk with you about the pros and cons and recommend additional best practices. You can also check out the following related posts:
How to Build a Disaster Recovery Plan
Security Tip: Cybersecurity for Electronic Devices
Best Practices for Securing Your Devices While Traveling
Want IT to serve you better?
Need ongoing IT support for your business? Contact us for a free consultation. We’d love to work with you!
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
About Pagoda Technologies IT services
Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.
