By Jeff Schmidt, Global Head of Business Continuity, Security and Governance, BT Global Services
Let’s face it: there’s no use fighting the Bring Your Own Device (BYOD) trend. While it may be the stuff of nightmares to IT departments, BYOD is here to stay.
For the most part, the IT manager’s fears are real: unknown devices connecting to the network, increased chance of security breaches, loss of data and compliance infringements, and a loss of infrastructure control are all risks that sneak in the door along with unauthorised devices.
Compounding the worries is the fact that BYOD is further entrenched in the workplace than IT managers believe. BT’s ‘Rethink the Risk’ research shows that the expectations of employees contrast with those of IT staff. While company sanctioned BYOD use is generally high, use stated by employees is higher than IT managers acknowledge.
So what’s an IT manager to do? Say “yes” to BYOD. Embrace it. Draw it into your overall mobility and security policies and make it work for you.
How to get to “yes”
First, consider the end users’ reasons for wanting to bring their own devices into the workplace. They’re comfortable and happy with the device (after all, they bought it). They like the convenience of integrating their personal and work lives; there is no longer a wall between the two. For some, there’s a sense of status and style that comes with having the latest technology. Whatever their reason, using their own device is likely to improve their productivity and job satisfaction.
But how you get to “yes” is crucial: the key is to focus on securing corporate information rather than securing the device and establishing continuity in security policies between laptops and tablets/smartphones, personal devices and corporate devices. Corporate security policy, not device policy, is what matters.
Educating your employees regarding security is essential. In many cases, it’s a user who’s not aware of the process and policy who ends up exposing the company, in the spirit of trying to do the right thing. It doesn’t take a lot to explain why policies are in place and why they are important to protecting corporate data. When someone understands the rationale behind policies, they’re more likely to steer clear of actions that could potentially harm the company and its assets.
Eight essentials for a BYOD policy
1. You can’t control the end point, so you’ve got to control the gateways between the end point and the network. The best way to do this is by encrypting sensitive data and employing strong authentication to validate users.
2. Explain your policy and the reasoning behind it to gain acceptance and compliance.
3. Enforce a strong authentication policy, including passwords.
4. Use a mobile device management system, allowing administrators to set policy and then apply that policy across multiple device platforms.
5. Get users to agree in writing to a remote wipe of their device in the event of loss, decommissioning or theft. Also get their agreement to password requirements to access corporate email and general file shares.
6. Look after your data: classify it so access is appropriate to the user. Encrypt the commercially sensitive. Monitor network traffic on a 24/7 basis to detect threats and understand events.
7. Establish a clear, mandatory process for revoking access to your gateways when a user leaves your organisation.
8. Incorporate a spirit of constant review into your BYOD policies to make sure you’re staying ahead of the consumerisation wave and continually making it work to your advantage.
With BYOD the more you seek to constrain users, the more they will actively work against you, finding alternative ways to achieve their aims. So treat it less as an IT policing issue and more as a business risk-management question, and you’ll sleep better at night, with fewer security nightmares.