Cybersecurity owns the headlines on a weekly basis and for good reason. Data theft shows no signs of stopping, making security paramount. Cybersecurity extends beyond your mainframe, including mobile and employees alike. Read on to check out our Bring Your Own Device (BYOD) security checklist and best practices.
What Bring Your Own Device Means To A Workplace
Bring Your Own Device or BYOD checklist is a concept that offers a bounty of upsides but a catastrophic downside if it’s not carefully deployed. Every business should have a BYOD security checklist in place, even if they don’t allow their employees to use personal devices for work. It would be painfully naive to think that all BYOD threats are eliminated because a company doesn’t allow work to be done on employee personal devices.
What Not To Do With Your BYOD Checklist
To assume that a blanket “no” solves all your BYOD problems is nonsensical. For that to work, all your employees would never use their phones at work and consciously go out of their way to limit data connections to their personal devices. You’re more likely to have an employee communicate through morse code than that to occur. Employees, for the most part, do follow the rules and regulations set forth by their company.
They often don’t consider the larger information security environment and extrapolate how their benign personal device actions could affect the company. It is up to the employer to lay down what is expected of employees from a technical security perspective.
Risk Vs. Reward
The world has changed drastically and you don’t have to look further than your omnipresent personal device to see that. As the Microsoft commercial tells us, “Today, right now, you have more power at your fingertips than entire generations that came before you. That’s what technology really is.”
Enabling your workforce to take advantage of all that power at their fingertips supercharges your business. Studies show that BYOD offers the following benefits:
- Happier Employees: Who would be pleased to have their personal device use restricted for eight hours at a time?
- More productive employees: Employees working longer, more effectively and more often when companies allow them to use their personal devices for work.
- A higher stock price: Put a happier and more efficient workforce together and what do you get? A company that is producing at its peak.
- Decreased Costs: Allowing personal devices lowers overhead.
While technology has offered us the ability to get work, play and everything in between done on the go, it also poses a serious security threat. Naturally, there are some downsides to BYOD as well. They are as follows:
- Lack of Uniformity: Apple vs. Android, PC vs. Mac, this lack of uniformity can create a headache within the workplace.
- Security Issues: BYOD gives security managers less control over company data access due to an overwhelming amount of devices. It also creates difficulty when trying to determine who is accessing what from where.
- Employee Privacy: Security and privacy rarely go hand in hand. Often, to properly secure your information security system, user privacy is limited. Generally, employees would prefer their employers not have access to what is on their personal devices.
- Legalities: Who is at fault for what can become a dicey proposition when it comes to BYOD. Nailing down your policy is very helpful in avoiding ugly litigation.
Utilizing the massive upside technology provides while protecting your business against potential fallout is key to getting ahead in today’s fast-paced world. BYOD adoption rates, according to analysts, are somewhere between 40%-75% and climbing. The last thing any business wants is to be left behind as the competition zooms by. That’s why RSI Security is here with a helpful BYOD security checklist and best practices.
Bring Your Own Device Security Checklist
A good start to any information security protocol is a checklist.
1. Prioritizing Data
The first and most important step in creating a BYOD security checklist is to map and understand your information network. Sure, you could find a one size fits all BYOD policy but the chances of that working to specifications are nil to none. The most important aspect of digital security is to understand that there is no such thing as one size fits all. Every company deals with different types and levels of sensitive data. It’s also true that not all of your employees need access to everything all the time.
Therefore, it’s paramount to catalog and store information based on what’s important. The most sensitive and potentially damaging information should be held apart from what employees need to properly do their job. Often, there is a grey area between what an employee needs and what information is considered sensitive. In these situations, we recommend always prioritizing security.
When it comes it comes to digital security, instructions must be clear, concise and laid out in no uncertain terms. Assuming your employees understand the importance of password strength, intermittently changing passwords is a mistake. Nothing should be taken for granted. Here’s an example of a good starting point for a BYOD security checklist:
- Ensure that end users understand their responsibility to back up and securing data.
- Delineate responsibility for device maintenance and support.
- Distribute a list of the company’s blacklisted and approved apps. Require users to delete any blacklisted apps.
- Disable access to the network if a device is found to download or contain a blacklisted app.
- Outline the consequences of failure to follow the protocols set by the company.
Understand that this is just a starting point. Creating a strong BYOD network that is efficient and safe requires more than handing out a syllabus. Employees must be made absolutely clear about the potential risks and damages relating to their mobile use.
3. Consider A Mobile Device Management System
Mobile Device Management (MDM) systems help companies track and oversee the mobile use of their employees. Some employees push back on mobile device management as it can infringe on their privacy.
Thankfully, not all MDM systems track every individual move on a device. More and more MDM systems are offering a tailored structure that only tracks the data that employers need. As Jonathon Dale of Blue Bell says, “We’ll always have to manage devices; we’ll always have to manage users, but what we manage about them can be narrower.”
Adjusting what your MDM system sees helps both employers and employees feel safe and secure. John Marshall, CEO of AirWatch, an Atlanta based MDM, explains the approach, “If you’re just managing apps or content, there’s no way you can make a mistake and see or wipe personal data. This approach generally allows a company to extend BYOD to a much larger audience.”
4. Specific Bring Your Own Device Policy Options
As we stressed earlier, no digital security system should work as a one size fits all. This is especially true for BYOD programs. One popular option within companies trafficking terabytes of sensitive information is Fiberlink’s Maas360 Software as a Service (SaaS)-based MDM product. Instead of creating a laundry list of elements employees must be aware of, this system sends them to an enrollment portal.
From there users must cede a measure of control to the system. It also gives employers the power to remotely wipe a phone, which is crucial for highly sensitive information. In the financial industry, 25% of security breaches are caused by a lost or stolen device.
5. Secure And Functional Beats Complex But Impossible
As with most complicated endeavors, the devil is in the details. According to Ahmed Datoo, chief marketing officer of Citrix Inc.’s Zenprise MDM unit, “Many people want to treat smartphones like desktop extensions. This is a disaster in practice. Smartphone users don’t have the patience to tap in eight-character passcodes, including caps and numbers—especially given frequent re-entry. All it takes is one device wipe accident and users will start removing [IT-managed controls].”
More than a quarter of the 500,000 accounts watched by Fiberlink MaaS360 control don’t require passcodes. Another 69% only require codes less than 7 numerical digits. Only 2% of controls require a traditional passcode. Yes, this does make hacking the codes slightly easier, however, enforcing stringent passcodes to be repeatedly entered on mobile is unrealistic.
Many employers are utilizing selective BYOD policies. For instance, encryption is standard for iPhones, iPads, BlackBerrys and brand-new Windows 8 phones. However, only a subset of android devices requires encryption. Instead of encryption, sensitive information is held in a secure data container or use self-encrypted/authenticated sandboxed applications.
6. Less Is Sometimes More
The fears of cyber breaches are extremely valid. Capital One was recently looted to the tune of 100 million people’s personal information, one of the largest security breaches in United States history. People who merely applied for a Capital One Credit card and got rejected were even at risk from the breach.
Nevertheless, going nuclear on all aspects of your information security can often end up with diminishing returns. For example, selective wipes of mobile devices have become more and more common as companies realize the downsides of full data wipes.
Keeping wipes only to corporate data, apps and settings allow management to sleep at night while not disturbing the day to day activities of employees. Also, full wipes remove mobile device management control, monitoring and kill the possibility for minor digital mediation. Sometimes, those minor fixes are key for uncovering larger cracks within an information security system. Starting with user and IT notifications and escalating from there is a more reasonable approach.
Most employees can understand the security needs of a company without raging at oversight if it’s not overbearing. According to Datoo, “If you look at blacklisted apps, they’re either games or sharing apps like Dropbox. Step back and consider why users download these. They aren’t looking to bypass security; they’re just trying to be productive. IT should think about how to meet those needs more securely, such as letting devices link to SharePoint docs, surrounded by data leak prevention.”
BYOD Security Checklist Summary
Unfortunately, the lightning-fast pace of technology today works as a double-edged sword. Never before have we been able to accomplish so much on our phones. Our handheld oracles are hundreds of times more powerful than the computer used to land the Apollo 11. That draw of such incredible computing can lead us into scary territory, especially if you are a business handling any amounts of secure data.
The seemingly endless trail of news stories detailing the latest security breach should clue us to the potential risk of conducting sensitive business on our mobile devices. However, as we move forward, forbidding employees from accomplishing any work on their mobile devices will become a non-starter. Therefore, it greatly behooves companies to find a middle ground and that starts with a comprehensive Bring Your Own Device to work policy.
The first step for any company is to secure the data that matter most.
It’s helpful to think of any sensitive data as anything that would be considered valuable to someone else, specifically hackers. The majority of the largest security breaches are derived from people’s credit cards and banking information. Naturally, hackers can easily make use of thousands and thousands of credit card numbers.
Other vital information pertains to proprietary information. A recent news story of that ilk relates to Anthony Levandowski. The infamous Uber engineer stole proprietary information from his previous employer which he sold to Uber for millions. Unfortunately, the only means of keeping such information safe from current employees is simply knowing who to trust.
That employer, Waymo, never should have trusted Levandowski with any sensitive information but, of course, hindsight is 20/20. However, logging and recording all processes relating to sensitive information is a great start. The fact that Waymo can prove that Levandowski stole such information will likely be worth many millions of dollars in court.
The second step is the most boring and yet the most effective: education.
Instilling proper security practices and consequences in your employees is the most effective means of protecting yourself from security breaches. There will always be the possibility of hackers finding another way into your system. However, at least you can protect the company from shooting itself in the foot to the tune of millions of dollars.
Another tool in the BYOD security checklist is the Mobile Device Management (MDM) System. They come in different forms and varying degrees of security. Understanding the right MDM for your security needs helps keep employees happy and productive while minimizing the potential security risk.
Cybersecurity risk is inherent to the fast pace 24 hours a day, 365 days a year business cycle. Regrettable ignoring the potential risk only increases the chance you’ll deal with information security issues. RSI Security understands the ins and outs of cybersecurity and has been helping companies keep their data secure for over 10 years. Contact RSI Security today for more information on how you can stay safe today.