With the global bring-your-own-device (BYOD) market estimated to hit $587.3 billion by 2030, interest in personal smartphones and laptops for work shows no signs of slowing down. Studies prove that, in many cases, BYOD options can increase employee satisfaction and mobility.
Yet, security remains a top concern. Recent reports acknowledge that malicious actors targeted 43% of surveyed employees with a work-related phishing attack. And the bottom line is that many workers will use your network for professional and personal use, unless you enforce an effective policy.
Here are eight tips for keeping your network safe while allowing BYOD at your business.
1. Review Current Challenges Before Updating Your BYOD Policy
You may already have a BYOD policy in place, whether written or implied. The thing is, during and following the pandemic, situations have changed. A Samsung survey found that BYOD is popular among small companies, but among all sizes of organizations, “Only 15% of businesses surveyed issue mobile devices to all employees.” Almost half provide some employees with smartphones and allow others to bring their own, and a full 39% rely on BYOD.
If your policy was written pre-Covid, it’s definitely time for an update. More recent policies could use a refresher based on best practices and current cybersecurity issues. Start by assessing your current challenges, whether that’s employee compliance or visibility into who’s using your network. Involve department leaders to see where mobility is a priority for productivity and job roles versus situations where it’s a nice-to-have.
2. Define Permissible Employee Devices
Cybercriminals create targeted campaigns that go beyond a device’s operating system. They exploit the version’s vulnerability or take specific action based on the age of the hardware. After all, each phone or laptop has unique privacy and security requirements and capabilities.
Your policy should address each aspect. Not only for security reasons but for legal situations. When you’re mandating personal device usage, your legal department may recommend offering stipends or reimbursement after an incident. In these cases, having the specifics (manufacture, age of device, operating system, and version) in writing protects your company.
3. Address Wearable Network Access
An older BYOD policy may not reflect the latest technologies connecting to your business network. While these may pose less risk than a smartphone or laptop, it’s a best practice to mention them in your policy. Even better, if your company has a public Wi-Fi option, encourage employees to connect their wearables to that network to avoid facing disciplinary issues.
Wearables may include fitness trackers and watches, virtual reality (VR) headsets, and other sensors. However, some physicians may prescribe remote monitoring devices. In this case, it’s important to talk to your legal department to see if your company must accommodate these types of connections or provide alternative (public Wi-Fi) services.
4. Establish BYOD Security Policies and Protocols
Your BYOD policy should be clearly defined and be accompanied by an acceptable use agreement. It’s a best practice to have your legal department review the language and have employees sign the agreements during onboarding and at recommended intervals thereafter. You can start with a BYOD template and then customize it for your business needs.
Most experts suggest including the following information:
- Minimum device password requirements, such as a six-digit PIN or multi-factor authentication (MFA)
- Situations when your company has the right to wipe a personal phone, like during offboarding
- The definition of an incident requiring data wiping or an IT departmental review of a personal phone and how the process works
- The method for reporting a lost or stolen device and the consequences if not followed
- Details about the type of information that can be sent or accessed through the personal device while on a corporate network
- A clear acceptable use policy that addresses confidential and proprietary data
5. Incorporate BYOD Training Into Your Cybersecurity Program
You can’t possibly overemphasize the importance of cybersecurity to your staff. Any changes to your BYOD policy mean it’s time to update your training program. Start by explaining the changes in simple terms and the assistance available to help them use their personal devices without risking their job or network security. Remember to talk about how your BYOD policies and protocols benefit them as well. Your cybersecurity investments protect their private data and give them the flexibility to use devices at work without sharing intimate details about what they do after hours.
6. Select and Deploy a Mobile Device Management Solution
A mobile device management (MDM) solution is a must-have for any business allowing employees to use personal devices for work purposes. These platforms cover tablets and phones, offering many standout features to improve your security posture. Unfortunately, Samsung’s survey mentioned that only four out of 10 companies with BYOD use MDM solutions. And 48% of these organizations had malware introduced to their network from a worker’s personal phone.
Consider MDM software with features such as:
- Device provisioning and management from a central console
- Real-time information about connected devices
- Ability to wipe a lost or stolen device
- Company-wide BYOD policy enforcement
- Data encryption tools
7. Consider Additional Security Options
Today, many solutions exist that address BYOD situations. For instance, a firewall and virtual private network (VPN) are great ways to eliminate less-than-desirable apps from accessing your organization’s network. You can configure a VPN’s split tunneling features only to allow your company’s applications to connect to your network. All others will need to use the employee’s data plan. A VPN can also help your company enforce rules against using your network for unauthorized devices. This solution is better than trying to ban workers from downloading certain apps to personal devices, which is fraught with legal concerns.
Another option is application vetting tools. These review device-based risks like vulnerabilities or versions. It considers dynamic, static, and behavioral tactics to see if an app is risky. Mobile threat defense software, also known as endpoint protection, can detect unwanted activity and integrate with MDM software. It looks for insecure configurations, compromised devices, and outdated operating software versions.
8. Set Reminders to Review Your Policy
As technologies continue to change, it’s vital to review your policies frequently. Revisit supported operating systems and versions to see if new vulnerabilities exist or if employees are requesting different devices. Listening to your staff’s feedback and updating your protocols can help your company avoid a security breach or legal blowback.
