BYOD security considerations: How to create a policy that works

Feb 24, 2015

2015-02-24 BYOD.jpgThese days, it’s pretty obvious that BYOD practices have long surpassed their buzzword phase and are no doubt here to stay. In fact, BYOD is only poised to be more prolific in the coming years with the emergence of wearable devices. According to Gartner, 50 percent of all interactions with mobile apps will come as a result of wearable device usage within the next three years.

However, as BYOD becomes more commonplace within offices around the world, a widespread challenge is emerging: Many organizations are supportive of the use of mobile hardware for work, but have no way of governing these activities. Recent ITIC research shows that 65 percent of companies allow BYOD in the workplace, but a surprising 43 percent don’t have an overarching BYOD policy. If this trend continues, it could lead to significant problems in the corporate sector, especially where information protection and BYOD security threats are concerned.

“A BYOD policy document serves as the bedrock for solid security enforcement and a backstop for legal protection,” noted InformationWeek contributor Ericka Chickowski. “Without the policies in place, IT is forced into an ad hoc approach to managing device activity and user access, which could keep the BYOD program from supporting business goals such as improving sales teams’ efficiency.”

To avoid these issues, decision-makers must not let another day go by without instituting certain guidelines for BYOD governance. However, careful considerations must also be made with these efforts to ensure that the policy created will be one that can tackle emerging BYOD security threats while still allowing employees the flexibility to collaborate and be productive with one another on a mobile platform. To help administrators craft a BYOD policy that will better their business, here are a few areas to focus on:

Specify the separation between personal and corporate data
Oftentimes, one of the biggest challenges with BYOD practices is having a clear separation between employees’ personal content and the information they need for work. Especially when the company utilizes remote device wiping capabilities for security purposes, it becomes essential to create a divide here. TPD noted that decision-makers must think about this aspect, and specify if employees are only able to access business data via enterprise applications and cloud systems or if they can openly store and make use of these resources.

Outline what devices are allowed
Organizational leaders must also consider if they will allow any device and operating system to be used for company purposes, or if they’d like to specify the types of hardware and software utilized. This could mean prohibiting Android devices, as they have been known for attracting mobile malware. ZDNet recently noted that Apple’s new iOS 8 has certain features that make it especially attractive for corporate use, including message encryption, enhanced cloud support and better data management controls. Administrators should consider this before crafting their BYOD policies.

Detail approved applications
Another important aspect to focus on is which apps will be allowed for business use. Many consumer-level applications do not include the strong security measures enterprises need to ensure the safety of sensitive data. In fact, the use of such programs, especially when sharing files online, can open the door to cybercriminals and data leakage. Instead, decision-makers should include a list of applications, including a secure file sharing platform, that employees are permitted to use. This will not only reduce shadow IT within the organization, but will prevent company information from falling into the wrong hands.

BYOD policies are key to ensuring that a business’ mobile strategy is successful and serves to further their prosperity instead of creating additional security risks.

Category: Data Security