BYOD or “Bring Your Own Device” or BYOD a trend referring to enterprises allowing employees to use their personal devices (phone, laptop, desktop unit, and notepad) in a professional location and context. The default position in many companies has been for company employees to buy their own equipment for personal and business purposes, with or without the support of the IT function of the organization. The uses varies but generally involve accessing email, contacts, calendars, documents, web apps, various applications, collaboration tools, and other enterprise systems.
With the proliferation of personal devices, lower user fees and the democratization of the use of these devices, “BYOD” is now a major trend in the world of technology. According to a survey in 2013, almost 60% of workers were accessing data related to their jobs via their privately owned smartphones or tablets. In contrast, only 1/3 of the companies had implemented management tools and processes for the maintenance and use of these devices.
There are several advantages for companies in encouraging employee to use their personal devices to access data and organizing systems, including:
- Reduced operating costs (purchase of equipment, software and maintenance costs): Supporting a personal device costs much less than supporting a corporate terminal;
- Increased productivity: By having access at all times to data and systems, employees work 37 minutes more per week according to a Cisco study in 2011;
- Increased employee satisfaction:
- Employees are happier and more satisfied. They use what they like – and what they have invested in with their hard earned money;
- Employees do not have to deal with the budgetary challenges of their employer, which is often a relief to them;
- “BYOD” facilitates teleworking, promoting a better work / life balance;
- For start-ups, the advantage of reducing costs to a minimum, is undeniable;
- This is an excellence initiative for the environment (e-waste reduction).
The trend “Bring your own device” however comes with its share of problems. Indeed, companies that have adopted the practice of “BYOD” must manage and support mobile devices heterogeneous (different brands and models) and rotating in different operating systems (iOS, Android, Windows, etc.). They face great challenges in terms of support, security, control, mobile fleet management. The professional life management problem versus employee’s personal life is also part of the equation.
What should leaders of SMEs do to limit the risks of BYOD?
Here are nine best practices for sound management of personal devices in your company:
1. Implement a remote access policy and use of personal devices and distribute it to employees.
This policy should include a list of supported devices, rules on securing devices (security code activated), the definition of an adequate and secure password (Lowercase, uppercase, number, special characters, etc.), stipulating what can and cannot be downloaded via the company network, etc.
While your employees use their personal devices, it is important to remind them that this use is in the context of work and for the sustainability of the organization. Rules of conduct and use should be dictated. Ensure that employees have read the policy, adhere to it and respect it
2. Build an optimized infrastructure for “BYOD” including mobile devices.
The creation of a separate network for personal devices allows for better management of network traffic and increased control of data flowing to and from these devices. This also facilitates separate network authentication, in accordance with the principles dictated by the policy of use of devices that connect to the network. This will eliminate unauthorized access.
3. Establish a process to manage the departure of an employee.
Whether owing to voluntary redundancy, dismissal or death, the departure of an employee must be managed properly. It is important to ensure that an employee does not carry with him or her the organization’s secrets. Actions should be taken, well in advance of the departure of the employee. This process will indicate how to proceed in such cases.
4. Establish an access and identity management.
Access and identity management is used to initiate, capture, store and manage user identities and access granted to them. Specialized tools are available to implement such a policy and to manage permissions in an automated way. Automated management ensures that access privileges are granted according to one interpretation of the policy. Access will be properly authenticated, authorized and audited in this fashion.
Access and identity management enhances security while reducing complexity and obviating many of the risks usually associated with heterogeneous environments. A logical approach for access to corporate data and systems should include an access control policy and the separation of roles in a structured way with SSO (single sign-on) in place.
The implementation of access and identity management significantly reduces the risk of a security incident even if your employees use their personal devices on a regular basis.
5. Protect sensitive information and / or personal property.
Information has an important value for organizations today. The data about your customers, your markets, your products, your suppliers, are now computerized and can be the target of a competitor or a malicious hacker. The use of personal devices increases the risks associated with access to sensitive data. This is why it is important to ensure that the data that the company has is properly secured. We have all read the theft of banking information, patents or manufacturing techniques.
Conversely, the organization must not have access to personal information of employees, under the law on privacy. Adequate mechanisms must be put in place to prevent access.
6. Monitor and record all activities.
For various reasons, it may be necessary to know what activities took place during a given period on your corporate network. For example, you may need to trace unauthorized access or may need to confront an employee on prohibited use. The establishment of monitoring and recording tools is necessary to maintain control of networks and organizational systems.
7.Separate the corporate data from personal data on devices.
In an ideal world, enterprise data is separate from personal data. One way to ensure this is to create a partitioned workspace on personal devices. This approach avoids a mix of personal information or applications with those corporate and helps reduce the risks that could lead to compromise of sensitive data.
8. Implement remote wipe devices.
You must be prepared to face any eventuality. Theft or loss of a device is common nowadays. If sensitive data can be found on the device, the company must be able to take appropriate actions to prevent this information from ending up in the wrong hands. The implementation of a tool for remote wipe data on the device is a perfect example of this type of measure.
9. Encrypt data on the devices.
Adding encryption on devices is an effective way to protect data from loss or theft. Today there are tools for centralized management of encryption based on the concepts of users, groups, and sensitivity of data. By encrypting the business related data on personal devices, organizations will be able to drastically reduce the risks associated with data security.
6DT Consulting 