Letting employees’ personal phones, tablets and laptops loose within your corporate network does not sound like a good idea. But that doesn’t mean you can avoid it.
BYoD, or Bring Your own Device, refers to a policy which oversees employees using company networks and data on personal devices. IT staff are often wary of such policies, but management seem to like them as they allow for a more streamlined workflow and a reduction in the sizeable cost of buying and maintaining IT equipment.
Only 49 percent of UK organizations have installed formal BYoD policies, according to SailPoint’s most recent market survey. Of course, this doesn’t mean that employees are not using company networks with their own devices; it merely means there’s no policy to manage and control that process.
Fears around BYoD are not unfounded. Phishing links, bad intentions and everything in between reinforces the old cliché that humans are the weakest part of any organization. It is entirely understandable why an organization would be afraid of allowing an employee’s device as well as its applications and data onto a corporate network. Still, if you want a secure organization, they’re also a critical part of the solution.
Those fears are not doing anything to stop an increasingly mobile workforce nor the fact that network perimeters are quickly moving out of view.
A draconian ban on personal devices won’t halt their use any more than unhinged allowance of personal devices will deal with threats to your network. Both extremes are childish options for a modern company and should be flatly ignored. A sensible way between means, both accepting the reality of personal devices in the enterprise environment and crafting strategies to enable this new functionality, while shielding yourself from the threats it brings. It means getting a policy in place to handle this new reality.
So what do you need to think about when coming up with a BYoD policy?
How you’re going to protect your critical data assets from mistakes, insiders and criminals is entirely dependent on what those critical data assets are. Design cars? Then you’ll need to be protecting intellectual property going in and out of your organization. Sales teams will want to protect client lists and healthcare bodies will need to keep all manner of healthcare records under lock and key. Your first task should be to find what your critical data assets are and deciding on a hygienic way to handle them on personal and corporate devices.
This matters for compliance too. Your BYoD policy will have to be structured around the specific regulatory obligations of your industry. But there is one particular regulation which everyone will have to prepare for: The General Data Protection Regulation.
In the run up to the enforcement of GDPR on May 25th 2018, some have started to view BYoD policies with suspicion. A survey from Strategy Analytics last year showed increasing fears around BYoD on the part of European businesses. Ten percent of those polled said they expected the use of BYoD enabled tablets to decrease with the advent of the GDPR.
Creating a structure for the use of home devices within an organization, some may think, opens it up to compromise when it comes to compliance. After all, what’s to stop anyone from loading up their personal laptop with all the personal data they can get their hands on and making for the door?
A good BYoD policy for one.
The GDPR demands that you actively take account for the personal data that you have and how it might it be threatened, before implementing security controls and policies “appropriate to the risk.”
Aside from the personal data that might be handled by employees, you also have to account for the personal data that might be accessed on their personal devices.
Attached to those demands are fines of up to four percent of global turnover, or 20 million euros, whichever is higher. Given those figures, BYoD is an issue which you can no longer ignore.
The good news is there are a number of areas in which a good BYoD policy can ease your path to GDPR compliance. The landmark piece of regulation includes requirements about access control and breach reporting as well as the protection of personal information. A BYoD policy will help in all these areas.
You’ll need to demonstrate your compliance to regulators too, meaning that you will need to have documented policies, audits and reports that show you have an active BYoD policy.
Once you’ve thought through your compliance obligations, you’ll want to think about how you secure your network and data on personal devices. This is known as Enterprise Mobility Management.
For example, being able to remotely monitor and manage mobile sessions in the office or over secure SSL VPNs when users are out of the office is core to secure BYoD.
This matters for the everyday flow of data between personal devices and corporate networks just as much as it does for the actual physical mobility of those devices. Even in a world without hackers, users would still lose and damage their devices. It’s important then that critical data is still in your hands even when the device is not.
Organizations should encrypt corporate data and consider solutions that allow you to reach in to a lost device and remotely wipe it of sensitive data, keeping it out of attackers’ hands even if it isn’t in yours. Remote wipe technology can be a point of contention, considering you’re also dealing with the device owner’s data.
It’s also worth considering how this fits into your offboarding processes. Similar solutions can make sure that leaving employees don’t also leave with critical data and, even more importantly, access to corporate accounts
Even for current employees it might make sense to adopt a Principle of Least Privilege as a guiding reference. It states, simply, that people must be given the fewest possible rights and privileges they need to do their job. If an employee does not need access to a particular area or piece of data, then they should not have it. The proliferation of admin rights on corporate networks is still a leading cause of data breaches and privileged credentials, according to analyst firm Forrester, are misused in 80 percent of attacks. You will want to lock down access as a matter of priority.
Container security solutions can help you separate out your employees’ devices from their potentially hazardous personal data and apps. When using their device for company business, they can work inside a ‘corporate container’ which insulates both corporate and personal environments from risks to privacy and security.
Technological solutions like container security, SSL VPNs and network access controls are critical and can take a lot of the danger potential out of your users’ hands. Still, humans will always be your first line ofdefencewhen it comes to security; they are where a good deal of your efforts has to be focused. Staff must be rigorously educated on what they can and cannot do while using company networks, trained on proper onboarding and offboarding processes and updated on the best practices of cyber hygiene.
This process should ultimately be collaborative. Staff should be asked what they need, and how BYoD implementation would best fit them. Any security policy has to be tailored around those who are wearing or it will tear.
Users will have to be able to access the information and apps they need and easily reconfigure their devices so they can work safely on a corporate network. If they can’t they will find ways to which breach your security.
Gartner has predicted that 20 percent of BYoD programs will fail due to over complexity. To that end, low friction solutions are always the best choice when it comes user-facing security; one that accommodates them is less likely to be violated and more likely to result in a more secure network that works in harmony with its staff.
BYoD will introduce a variety of unknown quantities to a network, posing a challenge to anyone who is trying to secure that network. But today’s workplace demands the kind of flexibility that BYoD brings and ignoring that fact won’t make it go away. A secure organization rises to meet the challenges posed by BYoD instead of letting them fly overhead.
About the author: Scott Gordon is the chief marketing officer at Pulse Secure, responsible for global marketing strategy, communications, operations, channel and sales enablement. He possesses over 20 years’ experience contributing to security management, network, endpoint and data security, and risk assessment technologies at innovative startups and large organizations across SaaS, hardware and enterprise software platforms.