In this article Stephen explains how to securely navigate the BYOD landscape.
Recent research into mobile device deployment in the workforce showed that 7% of UK companies rely on ‘bring your own device’ to deploy devices in the workforce. 38% of companies offer a hybrid model, providing company owned devices alongside BYOD. What does this show? BYOD isn’t coming – it’s already here.
However, the research also showed that a third of businesses have no enforceable policy in place to manage these mobile devices, especially worrying given the variety of device deployment methods in the IT landscape.
With the number, and scale of ICO fines levied on public and private sector organisations in the last year, the financial cost as well as the potential damage to reputation of a data breach is not an issue to be ignored.
There are, however practical, concrete steps that allow efficient incorporation of employee-owned devices into a deployment whilst ensuring secure protection of corporate infrastructure and data.
Step 1 – DEFINE YOUR IT REQUIREMENTS
Devices & Form Factors
To begin, you must select the types of devices and operating systems that you are willing to support. It is not possible to standardise management for mobile devices since each operating system and even the hardware itself can impact IT capabilities. For your Mobile Device Policy, here are the baseline criteria to use for assessing operating systems and device types:
Based on these criteria, you should be able to define the list of form factors and operating systems you will support.
Next, you must create an environment that will support employee-owned devices during the enrolment process. The simplest solution is to set up a guest wireless network that is separated from the internal network. This can serve as the enrolment network for employee-owned devices. Once enrolled, your MDM solution should automatically evaluate and assign privileges based on the policies you have created.
Basic privileges include access to company email, company Wi-Fi, and VPN configurations. These privileges should be tied to a policy that defines the security requirements of the company. Devices that do not comply with the security policy should be blocked. For instance, devices that are jailbroken, rooted of have blacklisted apps installed.
Provisioning access through your MDM solution benefits the organisation and the employee:
- Employees receive access immediately
- IT doesn’t need to manually provision devices
- Wi-Fi passwords are not shared with employees
- Remediation of future violations will be automatic since access is tied to the security policy
The final component for IT readiness relates to management policies and restrictions to employee-owned devices. This is broken down into three basic considerations:
- Policy-based management: Employee information is already organized within directory systems such as Active Directory or Open Directory, including departments, geographies, and job titles. Save yourself a lot of time and base your device policies on these groupings.
- Security: Create a baseline security policy that enables automatic remediation when devices fall out of compliance. Other criteria should be identified and implemented including company passwords and app blacklists.
- Document Management: Unless you provide employees with a means to securely access corporate documents, they will invent their own. The best practice is to provide a centrally administered document repository that manages file availability by policy, while allowing IT to delete files as necessary. This is the best model to secure company data while respecting device ownership and user experience.
Step 2 – DEFINE YOUR LEGAL REQUIREMENTS
The most significant challenge associated with BYOD is the balance IT must maintain between respecting the privacy of the employee while securing the corporate network and any data contained on the device.
Since this is essentially collaboration between the employee and the organisation, it’s best to put it in writing.
Mobile Device Policy
This is a comprehensive document that should incorporate the specific requirements of your organisation, based upon guidance provided by various internal stakeholders including general legal counsel, IT, Human Resources, employees and others.
Each policy is unique but generally should address some or all of these aspects:
- Defines accountability and responsibilities
- Defines process for policy violation including consequences
- Focuses on a set of standards without including details such as device type and operating system
- Sets expectation that standards will be updated periodically
User & Funding
- Defines how devices will be used by employees
- Defines how security requirements will be communicated to employees
- Whether a technology stipend program is needed and if so, who will pay
- If required, defines the reimbursement process for recurring costs to employees
- Support for contractors using their own devices on the corporate network
- Whether regional or country data privacy laws will restrict security measures available to IT and consents required
- Rights to audit and monitor activity on personally owned devices and any limitations based on local laws and regulations
- The ability to distinguish liabilities between users and the organization for usage of features, licenses, apps, etc.
- Consent for the company to access the device for business purposes
- Sets out how to remove devices from the population and how sensitive data and company property are removed
- Obligations on employee to report loss of device and employer’s right to wipe it
- Details of control over information of control over corporate information stored on employee-owned devices
- HR policies that can govern the use of personally owned devices for personal use during work and non-work hours or in a work or non-work environment
- Contract language to incorporate independent contractors and vendors and their compliance with the Mobile Device Policy
- Employee awareness and training
- Details of employee payment plan if the employer is initially paying for the device and employee is paying it down in installments
Employee Mobile Device Agreement
This is a simpler document with the sole purpose of acknowledging each employee’s acceptance and agreement of the terms associated with the corporate Mobile Device Policy. By accepting the terms, the employee acknowledges that IT will have the legal right and ability to secure their device and the data it contains if required.
The employee opt-in is important in order to mitigate any future scenario where an employee may claim they were unaware of the policy. Since employee acceptance allows IT to perform security measures including the deletion of some or all data from a device (depending on the nature of the corporate policy) potentially seizing a device, it’s important that the company can prove its right to carry out this type of security activity.
Employee agreements should be preserved and available for future access as required.
Step 3 – IMPLEMENT MDM SOFTWARE
Now that you have all of the internal requirements identified and in order, you need to select the appropriate software application that will allow you to properly manage and secure corporate- and employee-owned mobile devices.
Similar to the criteria you applied while assessing the different types of operating systems and form factors, you need to ensure the solution you select is able to deliver some baseline and supplementary capabilities.
Mobile Apps Management