Whilst defining your BYOD policy, you might miss some important requirements to producing a document that will help guide your employees when they use their own device for work purposes. More organisations around the world are now providing an allowance to employees to allow them to buy their own consumer devices, however there is an association with the user that they are using their own money to buy a device, and so it is more “theirs” than it is the company’s. This brings me to the first tip.

It’s for work

One key part to start with is to ensure that the employees realise that the device they use for work should be considered a professional tool, not a toy. People will purchase a device based on personal preferences, and as they may end up using it outside of work too, this may skew their device selection criteria towards their out of work needs. The policy should have clear language that refers to devices as professional work tools to perform the employee’s duties.

Choose the right device

It might work for your organisation to allow any device to be purchased and used, however there are alternatives. Your policy could define specific requirements around device selection, or could list specific manufacturers and models of approved devices. There are benefits for a business to provide a framework for effective selection – ensuring that the employee chooses a device that is fit for the job is one!

Additionally, by limiting selection it is possible to keep spares of parts like power supplies and cables. As a business, it is far cheaper to maintain a few cables than it is to lose staff productivity because of a flat battery and no charger! If you have a limited number of devices as options, then colleagues can help each other with questions on functionality and support.

Depending on your business type, you can specify particular capabilities like accessories or types of connectors (video out for people who do presentations, external keyboard for tablet users) to ensure that the device is fit for purpose. Consider providing capabilities such as docking stations / port replicators (e.g. from Dynalink, Targus and Toshiba) to enable hot-desking without the delay of a user trying to plug everything in.

READ ARTICLE:   Half the battle is knowing what is going on

Choose the right system

Aside from the hardware, you may need to place restrictions on the operating system of the device. Do you have a particular system that staff need to use – for example is the Timesheet system only accessible from Internet Explorer? This should be specified so that employees must have multiple devices, with at least one that can access required systems.

For Windows machines, you can consider providing portable applications through VMware ThinApp – this will allow older versions of software to run on newer operating systems (Internet Explorer 6 on Windows 8 for example).

If you find that you have users preferring devices that are not compatible, then consider providing alternative methods. For example, if you have a Flash-dependent site that iPad users want to access, consider VMware Horizon View to provide access to a pooled virtual desktop system. Another benefit of View is that the data stays within the virtual desktop, which brings me on to my next point.

Ensure security of devices

Nobody enjoys having to log in to a device. With tablets and phones, authentication might be multiple times an hour, and people would be tempted to do whatever they can to make it easy for themselves. Your BYOD policy should clearly define the authentication and locking requirements – beyond just a simple 4 digit PIN (set a minimum of 5 digits, or alphanumeric).

Use a password

You can also control security policies with systems such as Air-Watch, and Exchange ActiveSync Mailbox Policies to control password length and complexity.

For laptops and tablets, they may not be a member of your domain and so not subject to Group Policy controls, so when defining your BYOD policy, it should explicitly set out the requirements for access controls.

Protect your data

This one might be a big problem for your business – what happens to your business data that is on the device, if the device is lost, stolen or hacked? If you are using VMware Horizon and View remote desktops, then the data is never actually on the device, it’s still in the datacentre. However, have you considered email on the device, or other apps? What about SMS messages or photos taken with the device – how many times have you seen someone taking a photo of a whiteboard after a meeting? SMS and MMS messages don’t go through your corporate infrastructure, could they contain important information that needs to be controlled or backed up.

READ ARTICLE:   Top 10 tips for cloud adoption

Encryption

Combination entry

Device encryption (such as Windows BitLocker and Android device encryption) should be mandated if there is even the slightest possibility that a mobile device could be picked up by someone else.

There are also technologies to encrypt folders and drives (TrueCrypt, some anti-virus packages contain encryption capabilities), however these are more intrusive to users and training may be required. That’s not wasted time though, because it is applicable to removable devices too, bringing me to my next point.

Removable Devices

Your removable devices should also be encrypted – and your BYOD policy should also mandate that the 1TB USB drive that an employee is using to supplement the tiny storage on their ultrabook should have it’s data secured. Provide a capability for encryption for the users through BitLocker, TrueCrypt or their anti-malware products. Obviously, the loss of a USB drive should already be covered in other policies of your organisation – aren’t they?

Backup

Backups should be mandated for all company data, but you need to consider the methods to achieve this. Issues to consider include;

  • If automated systems such as Google Autobackup are used, how is this data transferred into the business to comply with regulations and requirements for data search and retention?
  • What about user generated content such as photos, music and personal email? Photos can also include business photos (like a snap of a whiteboard)
  • Does your corporate backup software have clients for mobile devices?
  • What about the user’s downloaded apps and their data – backups can include this data, but do you want it?
  • Is the content from the user’s personal time subject to any regulations or legal issues? Activities and memberships that they may have outside of work could have ramifications on your business.
  • If / when the user leaves, if the backup is available to them after they leave, how does this backed up data get removed?

Consider device turnover and user exit

Cleaning your device

There may already be a policy in your organisation for user departure to remove their access, but what about cached or stored information on their device? Consider saved passwords, SMS/MMS messages, downloaded attachments etc. in defining your BYOD policy.

READ ARTICLE:   Educate Boards in Cybersecurity

An important, and often forgotten, point is that one of the drivers for a defining your BYOD policy is that end-user consumer devices have a shorter acceptable lifespan. That is, users want to change them more frequently and move to the latest technology. So, data on their device may need to be removed without it being a part of the user exit process. You should instead have a process to clean off the company data from a BYOD device, before the employee passes it down to their family. This could be the form of a requirement for the user to validate the cleaning of their device, or a remote wipe to factory defaults. Consider formal processes.

Business acceptable appearance

We’ve all heard inappropriate ringtones; consider also background wallpaper, screensaver, lockscreen and notification sounds. When defining your BYOD policy, outline that the device should be in a professional state. Include items such as the phone case/cover, stickers on a laptop and items like desktop shortcuts/apps that may not be appropriate – particularly if the device is in a customer-facing environment, and especially when it is used for a presentation.

Ensure security of your environment

castle-gate-in-autumn

Following on from my previous point of ensuring security of the device, you also need to ensure that the device  is not a risk vector. Mandated anti-malware installation, and updates, should be specified on laptops, tablets and phones. Don’t allow rooted devices and consider Mobile Application Management (MAM) and Mobile Device Management (MDM) such as AirWatch to control the device and it’s applications. For laptops and Windows tablets, firewall and other network protection products should be required – however, you may need special capabilities to use centralised anti-virus solutions.

There are many other points that are important to cover, however these points should be considered as a fundamental base.

Share this knowledge