Bring-Your-Own-Device policies are revolutionizing how employees work, but they bring their own challenges. Allowing your employees to use their own devices means they have additional security burdens that must be met to maintain company security.
Ultimately, a successful BYOD deployment requires training.
1 - Create a written policy.
It begins with a clear, coherent, and achievable written policy governing its proper usage, security features, and rules of operation.
These will vary greatly from business to business, because BYOD use will be different everywhere. We suggest polling your employees about how they think they'd use personal devices, and craft your policies around their planned usage.
However, you need a bedrock policy to begin with, one all your employees can read and sign off on themselves indicating understanding and compliance.
2 - Training sessions review NPI policies.
Few, businesses today can avoid dealing with Non-Public Information. Virtually any customer information is protected by regulations, with strict laws governing matters such as data retention.
Whether it's the first time, or a refresher course, put your employees through NPI training when implementing BYOD. That will strengthen the learning experience, as well as putting it within a framework: These are the laws that everyone must follow.
3 - Choosing Strong Passwords
Ultimately, your security systems are only as strong as the worst password into them. All it takes is one person using their wife's name, or (worse) "123456," and your systems are vulnerable. At the other extreme, if your passwords are required to be monstrosities like "XK$4CD9!%TJ" then it's guaranteeing they'll be written on post-it notes.
There are several different strategies for strong and memorable passwords, but we suggest using passphrases instead. If everyone picks a short phrase from a favorite book or movie or poem, it's going to be hard to crack, hard to guess, and yet easily memorable for the employee.
For example: "TomorrowIsAnotherDay" or "GoodFencesMakeGoodNeighbors." Add an exclamation point or question mark at the end for a stronger password.
Just make it a little obscure. If someone were a known Star Wars fan, virtually any line besides "UseTheForceLuke" would work. But not that one.
4 - Physical Device Security
The biggest challenges BYOD security brings to your employees relate to the devices themselves, which become a weak point for attack. Among the most important policies to enforce:
Every device utilizes a password, passcode, or biometric security. No exceptions.
"Jailbroken" devices should not be allowed on the network, since their security has been compromised.
Public cloud servers like Dropbox should never be used for business data. (Google is a possible exception here, with their business focus.)
Never, ever keep a list of passwords on a personal device.
Never, ever store customer data on a non-corporate issued device.
If a device is lost or stolen, it should be immediately reported to the network administrator.
Also, maintain a blacklist of blocked sites, especially for porn and pirated media. This can vastly reduce security problems, as well as preventing employees from using company bandwidth to pad out their video collection.
5 - Beware Social Engineering
Finally, while it's too complex a topic to go in-depth here, a smart company will incorporate social engineering training into implementation.
Simply put, social engineering is "hacking" people, using confidence tricks and mind games to gain access to secure areas. They can undermine even the best computerized security policies.
There are plenty of security experts who give lectures on social engineering and how to avoid it; consider bringing one in for a company-wide training day.
Smart Employees Make Smart BYOD Policies
When going to BYOD, you can't assume your employees will automatically know how to use it responsibly and ethically. A strong security training program will ensure they maintain systems security, even while working from their iPad or Galaxy.
For more security tips, follow this blog, or call us with your questions!