“What’s mine is yours and what’s yours is mine” is an old idiom, which is often used to express generosity in relationships. In friendships and the family dynamic, people freely share their items with each other. However, can this approach work in the employer/employee relationship, to benefit a business?
We are now in the information age, in which almost everyone has access to a digital device. In the workspace, employers reason that employees could work faster while using their own tech devices. And, one way that businesses are capitalising on this, is by implementing a “Bring Your Own Device” (BYOD) policy. This allows employees to take and use their own devices at work. A practical solution, it is affordable, encourages efficiency and increases productivity.
BetaNews suggests that the BYOD market is on course to hit almost $367 billion by 2022, up from approximately $30 billion in 2014. If this trend continues, the BYOD culture will soon become more popular in the Jamaican society. Along with the “pros” to be considered are the “cons” that point to an increased information security risk. Let’s explore how local companies can best prepare for the BYOD tech pandemic.
THE PROS & CONS OF IMPLEMENTING A BYOD POLICY
Collin Burgess, IT Infrastructure Manager at MC Systems, maintains that, “BYOD policies are set by companies to allow employees to use their personal smartphones, laptops, and tablets for work. While it can help to set businesses up for success, there are several disadvantages to consider.”
Some of the pros of the BYOD policy are that it benefits companies by allowing them to:
● Save on purchasing and replacing technology, by eliminating the time it takes for new employees to learn new devices and operating systems
● It contributes to the improvement of employee morale
● Employers benefit from the latest technology due to personal upgrades
THE CONS?
● More complex IT support for disparate devices and operating systems,
● Higher security risks, potential loss to employee
● Company privacy, data leakage, and some employees may not have their own devices.
SECURITY
It seems that the greatest concern for employers, who implement a BYOD policy, is security risk. Although the policy is equally as beneficial for employee and employer, the employer faces increased information security risk, due to possible data breaches and increased liability for the organisation. To avoid dangerous security breaches, companies will need to establish in-depth security programmes and implement detailed clauses in the company’s BYOD policy.
Burgess further explained that the BYOD policy should address basic considerations, such as the goals of the BYOD programme, which devices will be supported; and the access levels that employees are granted when using personal devices. Beyond those factors, more in-depth considerations for BYOD policy should include:
● Who will pay for the devices and data coverage required?
● What regulations (government, industry, or otherwise) must be adhered to when using employee devices?
● What measures (configuration, software installation, etc.) will be taken to securing devices prior to use?
● Where will data from BYOD devices be stored (locally, in the cloud, etc.)?
● Will there be an agreement for employees who wish to bring their own devices?
● What happens if an employee violates the BYOD policy?
● What privacy will be granted to employees using their own devices?
● What support (software updates, troubleshooting, maintenance, etc.) will the organisation provide for BYOD users?
● What safeguards are in place if a device is compromised?
● What methods will be used to secure devices before they are retired, sold, or disposed of?
10 TIPS FOR SECURING DEVICES AND REDUCING BYOD RISKS
To further secure devices and reduce risks, Burgess offers 10 tips for companies:
1. Use Password Protected Access Controls: It may seem obvious, but setting a password/access PIN is a critical first step in BYOD security that many users choose to ignore. Passwords should be unique for each device/account and should not be generic or easy to guess.
2. Control Wireless Network and Service Connectivity: Wi-Fi and Bluetooth connectivity should be turned off when not in use, and employees should only connect their devices to trusted networks. Devices should be set to prompt users before connecting to networks so that employees aren’t unknowingly connecting to unsafe networks.
3. Control Application Access and Permissions: Many devices have built-in access control features. Organisational IT and security teams should assist users in optimising their access control and app permission settings so that each application can access only what it needs to function and nothing more.
4. Keep OS, Firmware, Software, and Applications Up-to-Date: Users need to ensure that all of their devices’ OS and other software are updated in real time. This is a critical step, because software updates often contain security patches to protect users from the latest threats or exploits.
5. Back-up Device Data: All enterprise users should periodically back-up the data on their devices. Backing up data in conjunction with having security and recovery procedures in place will greatly reduce the fallout should a device be lost or stolen.
6. Enroll in “Find My Device” and Remote Wipe Services: All BYOD devices should be subscribed to a device locator service. In addition to being able to track a missing device, these services usually have the ability to wipe a device remotely, a critical last-resort measure for ensuring BYOD security in the event of a lost or stolen device.
7. Never Store Personal Financial Data on a Device: Employees should avoid saving any financial or otherwise sensitive data on their devices. This precaution ensures that confidential data is safe even if a device gets compromised.
8. Beware of Free Apps: Many free applications have been found to track users and share user information with advertisers or other third parties. Enterprise users should review app permissions prior to downloading and download only from trusted publishers. IT and security teams can assist employees by providing lists of applications that are approved for download.
9. Run mobile antivirus software or scanning tools: There are many commercially available antivirus and security applications that scan and protect devices from common threats. IT and security teams should assist employees in selecting and installing antivirus software prior to using their devices at work.
10. Use Mobile Device Management (MDM) Software as Recommended by IT: Many IT and security teams use Mobile Device Management (MDM) software for securing devices. Mobile device management software enables IT teams to implement security settings and software configurations on all devices that are connect to company networks.