Does Your Company Need a BYOD Policy?
Short answer? Yes!
This morning, most of us woke up and followed a very similar routine, grabbing our mobile phone, tablet, and/or laptop as we headed out the door to work. Who owns those mobile devices - you, your company or a bit of both?
Chances are the phone and the tablet are your personal devices, while the laptop is provided by your company, although this too can vary especially for freelancers and contractors.
Today, one of the most common scenarios is for employees to purchase, own and control their smartphones and tablets that are used for work purposes - referred to as BYOD (Bring Your Own Device.)
Remember when there was a big push back from IT departments about supporting personal devices?
That was circa 2009 when many businesses went so far as blocking personal devices from their networks and mail servers. Fast forward to today, and it’s expected - if not mandated - that the IT department support personal devices, letting employees access company data all hours of the day and night from anywhere.
BYOD is entrenched because companies quickly realized that it boosts employee productivity, and saves on capital expenditures to boot.
Did you know:
* 87% of companies rely on employees using their personal smartphones to access mobile business apps and services.
* Almost 50% of businesses require their employees to use their personal smartphones.
* Employees use their smartphones for work purposes outside of normal working hours about 7 hours per week.
* About 70% of companies say that they reimburse their employees in some fashion for BYOD, while only 29% of employees reported that they receive BYOD reimbursement (interesting!)
So while we could debate who is benefiting the most from BYOD, there is one huge pitfall that has surfaced with the BYOD movement: lack of security training, practices and policies.
The biggest concern businesses have with BYOD is the risk of compromising company data, whether by lost/stolen devices or by cyber-attacks and threats.
BYOD security risks need to be taken very seriously, and it's an unfortunate fact that most companies do NOT have a mobile device policy in place.
Key BYOD risks and drawbacks you should know about:
* Anticipated cost benefits. If BYOD is implemented correctly, the security controls that are necessary to comply with best practices for security will add to the cost of BYOD. This typically is done through mobile data management (MDM) software, which allows companies to remotely manage end user devices.
* Employee privacy. Most employees have not been told about the risk of using personal devices at work. If the organization they work for is sued, their personal data may be at risk as well. Additionally, in many cases the company may have access to everything on the employee’s device, even private information, depending on the type of mobile management the company has deployed.
* Increased cyber-attacks. With the explosion of mobile device usage, hackers now have many more “attack surfaces” than before, such as introducing untrusted mobile apps that may be vulnerable or malicious. Personal devices are also very attractive to hackers because not only do they contain company data, but also personally identifiable information (PII) about the user.
* Employee non-compliance. How many of us have avoided rebooting our devices after being prompted to update? Keeping mobile devices updated with patches and operating system upgrades is imperative for security reasons, but it’s difficult to enforce this without some sort of MDM solution.
* Physical loss or theft. Now that our devices are not tethered to our desks, it’s incredibly easy to lose track of your smartphone, laptop or tablet. The true cost of a lost mobile device goes far beyond the price of replacement, thanks to lost productivity, loss of intellectual property, data breaches and legal fees.
It’s been estimated that the average loss to a company exceeds $49,000.00 per lost or stolen device!
Here's how to get started with a BYOD policy.
Every company needs a formal BYOD policy to protect both the business and their employees. Don’t rely on informal conversations and assumptions.
There is NO case where BYOD should exist without the following three components:
* A software application for managing the devices that are connected to the company network
* A written policy that outlines the responsibilities of both employer and user
* An agreement that users must sign acknowledging that they read and understand the policy
To help get you started with your mobile security planning, check out this BYOD policy that outlines the requirements for BYOD usage, and establishes the steps that users and the IT department should follow.
There are many other layers that are needed for robust cyber security protection across an organization, but a BYOD policy is a great place to start.
Need more assistance? As always, feel free to reach out to me to discuss your IT challenges.
Note: This article first appeared in the Ntiva Blog.
Excellent article great food for thought