BYOD is becoming the rule instead of the exception for many organizations. Gartner predicts that by 2018, 70 percent of mobile professionals will use personal devices for work-related activities. Rightly so, many businesses resist BYOD because of security concerns. The BYOD & Mobile Security 2016 Spotlight Report by the Information Security Community on LinkedIn found that 39 percent of companies said security is their top concern with BYOD.
Banning BYOD may seem like an easy solution to address BYOD security concerns. However, many employees will use their personal devices on the network even if it is not permitted, which means that they are likely not following security guidelines. This results in much higher security risks than taking steps to protect your netork. By having each employee instead sign a BYOD policy that outlines security protocols, you are ensuring that all mobile devices used on your network are using proper security precautions.
Here are eight tips for keeping your network safe while allowing BYOD at your business.
1. Focus on mobile moments
It’s no longer just a phone or tablet that employees will use to access your network, but smart watches and even fitness trackers. When businesses take a device-specific approach to BYOD security, the protection is limited and must be revisited as more types of wireless-enabled devices are brought to work. In its Mobile Security Playbook for 2016, Forrester recommends taking a holistic approach and working to secure “mobile moments,” which it defines as “a point in time and space when someone pulls out a mobile device to immediately get what he or she wants, in context.” By shifting to this mindset, the report says, businesses can create a dynamic security approach that takes into account user identity, time, location, behavior and biometrics, as well as device state, user, app state, transaction requests and user experience.
2. Have a process for exiting employees
BYOD creates an additional wrinkle in the exit process for employees, because they have sensitive employee data on devices that the company most likely does not own. The solution is to specify the process for exiting employees with regards to company access and data on personal mobile devices. According to the BYOD & Mobile Security 2016 Spotlight Report, only 34 percent of companies remove company data through a remote wipe or other process when an employee leaves. Companies not taking this action increase their risk for theft, data breach and cyberattacks.
3. Require immediate notification for lost and stolen devices
Almost everybody loses their phone at some point. However, if the phone has company data and allows access to the company network, then every minute that the phone is unaccounted for increases the risk of a data breach or cyberattack. Require that all employees notify IT as soon as a device is lost or stolen. Once a device is reported, IT should terminate the device’s access to the network and any apps accessing company data. IT can also remotely wipe company data from the phone, if necessary. Since phones are often lost outside of business hours, it is essential to have a contact person and procedure 24 hours a day, seven days a week.
4. Require mobile device management on all devices
One of the biggest issues with BYOD is blending the need for company security with employee privacy, especially if employees are not getting a stipend for the device. Consider requiring all employees to have mobile device management (MDM) technology on all devices accessing the internet. This technology creates a separation between company data and the employee’s personal information and also provides your organization with the ability to remotely access and remove any corporate data on the phone.
5. Set password guidelines
It may seem like a no-brainer, but if you do not require all employees to follow safe password protocols, your network may be an easy target for cybercriminals. According to the BYOD & Mobile Security 2016 Spotlight Report, 63 percent of companies require passwords on all mobile devices used on the network. Best practices include requiring users to change passwords every three months and prohibiting reuse of previous passwords. According to a Champion Solutions Group survey, 73 percent of organizations also require re-entering passwords after five to 15 minutes of inactivity, and 77 percent lock users out after three or five incorrect logins from a mobile device.
6. Use network access control (NAC) software
With BYOD, your company’s data is dependent on your employees keeping their device security up to date. If an employee does not download updates to antivirus software and operating systems, it is possible for a cyberattack to enter the network through the unsecured device. Many businesses use NAC technology to ensure that every device connected to the network has the latest in protection.
7. Use two-factor authentication for mobile network access
Passwords can be stolen, as can physical devices. This is the reason many companies use a two-factor authentication process for employees to access the network remotely, requiring employees to provide two different pieces of information to confirm their identity. Most systems use a strong password as the first factor, and the second factor can be a variety of authentications, including an SMS code, hardware or other options.
8. Use endpoint protection
While much of mobile security focuses on the responsibilities of the employees, it is essential that an organization use endpoint protection technology, such as antivirus and antimalware, against breaches and malware. The way endpoint protection works, according to TechTarget IT, is that security programs scan the device to ensure it is free of malware and viruses before the user gains access to the network. This keeps viruses and malware from entering the network through a corrupted mobile device.
BYOD is not a passing fad but a fundamental change in our communication style. By creating security protocols and processes for a BYOD policy, your company can increase employee satisfaction and productivity while at the same time keeping its network and data secure.