It is increasingly common to see personal mobile devices such as smart phones, tablets and mass storage/entertainment devices in the workplace. Employees often prefer to have a single device to manage their whole life — both personal and work data included. BYOD, or bring your own device, policies are the current tool to allow companies to manage the risk inherent in the intersection of personal and business data on an employee-owned device. How can your company ensure that it respects personal data, protects company assets and has effective control without overstepping? Here is a top 12 list of tips and tricks to develop an effective and defensible, but not overreaching, BYOD policy:
1. Review your current security protocols. A great place to start is a review of your current data security decisions. Does your enterprise allow for remote access to email or any server applications? Business decision makers and high-level IT decision makers should discuss the pros and cons of which type of data to make available to mobile BYOD users. Special attention should be paid to which types of employees will be using their own devices and what data they actually need in the conduct of their work while on their mobile devices. As in most things, “oversharing” is discouraged.
2. Establish what devices will be supported. BYOD does not mean “support my device.” Discussions should be had with IT and policy makers, as both cost and security considerations come into play. Typically, “jailbroken,” “rooted,” or hacked devices should not be supported because the modifications to the devices will weaken the security of the device and may expose corporate data to higher risk.
3. Establish what apps will be permitted. This is where security holes originate. Especially problematic are applications for social media browsing, replacement email applications and remote-access software. Be mindful of reports of security holes and applications that allow for mass storage and/or output, as those apps may facilitate corporate espionage.
4. Enforce a tight security policy over devices and data. Passwords, lock screens and PINS are critical. This is where many users will find they are not as enamored with BYOD as at first blush. Data security policies may include the mandatory installation of software to remotely manage the company data on the machine, which could cause some users to reject BYOD. Remember – not everyone loves the idea of complex passwords or a potential remote wipe of their personal data.
5. Have an exit strategy for users and their devices –- What happens when an employee leaves? Don’t forget about what will happen when employees with devices on your BYOD platform leave the company. How do you enforce the removal of access tokens, e-mail access, data and other proprietary applications and information?
5. a. What happens when Employees Lose (or Sell) their Devices? What happens when an employee’s device is stolen? A common policy and technology strategy is to enable remote wiping of a device’s data and require it as a condition of program participation. If an employee reports a stolen or misplaced device, company IT can use software to automatically wipe all data off of their device to protect company assets. This may require an investment in remote wiping technology and building this into the security policy. However, this also requires employee training to report lost/stolen/sold devices and may require more maintenance by IT staff than current policies mandate.
6. Integrate your BYOD plan with your acceptable use policy. Clearly explain in writing what is and is not acceptable use on the employee-owned machine that will be holding company data. Discussions about an acceptable use policy are required to protect company data and shield the company from liability. Remember that written, enforced policies will protect the company in litigation.
7. Clarify in your BYOD policy who owns what data. The question of who owns data on an employee’s personal device is murkier than expected, especially when a phone is lost or stolen and data is wiped pursuant to an implemented company data use plan. A “wipe” typically removes everything from the phone’s data stores, including the company and personal data. This can also remove apps and content paid for by the user, not the company, some of which may be irreplaceable. Does the company have the right to wipe devices put on the company network? Is there a backup system in place that captures employee data? A data use policy that includes mandatory company data backup (which may be conducted via automated process) and encourages employee backup of personal data, can provide the company with cover for unfortunate wipe events that may result in loss of personal data.
8. Establish and enforce data use policies. The policies and their enforcement will provide litigation cover to your company and help guide employee conduct. All data on an employee device is potentially subject to discovery in a civil, criminal, or regulatory action. Thus, in a suit against the company, the employee’s personal device (and ALL of the data on that device) could be reviewed by another party. This includes social media and private information on the machine. Employees must be aware of this and consent in writing. As a full device examination could be a potentially embarrassing situation for both the company and the employee alike, employees need to understand and be trained on this issue as part of the BYOD policy before participating.
10. Mobile device management software can save time and money. Software that can provide secure client applications, like email and web browsers, remote application distribution, configuration, monitoring, and remote wipe capability, can simplify administration of BYOD. The decision to use mobile device management software may inform which devices are supported. Again, this is joint decision to be made between IT, operations and legal/risk departments.
11. Train and promote. Train your employees to make sure they understand how to correctly use their applications, make the most of their mobile capabilities, and watch for suspicious activity. To avoid “data creep” – that is, the movement of company data out of the company trusted network via mobile device users inadvertent or more nefarious activity – mandate training on acceptable usage, saving and portability procedures. Again, properly implemented and enforced policies can create defenses and affirmative defenses in data espionage or trade secret litigation.
12. Encrypt data. In the event that a device is stolen, or a dishonest employee attempts to offload company data off the device, encryption can provide an extra level of security. Apps that download and store data on the device should protect that data. If your company is regulated, does international business, or includes PII, encryption is a must.