Adopting The Right BYOO Policy For The New Normal
Recent times have seen an exponential rise in the number of personal devices being used by employees for official work. There are several reasons why Bring Your Own Device (BYOD) has become a widely acceptable concept at a multitude of organizations of varied size and type. These include reduced infrastructure cost, increased productivity, better time management and of course more flexibility for employees to work from their preferred locations and use their preferred personal devices.
In fact, the adoption and acceptance of personal employee devices by organizations along with the work from home culture has led us right into the era of Bring Your Own Office (BYOO). Simply put, BYOO means employees take their offices with them wherever they go, because essentially all their work can be done as long as they have their personal device plus a fast internet connection. However, for an organization to reap long-term benefits of BYOO without compromising on security, some best practices and guidelines need to be set in place.
To help your organization effectively manage employee personal devices, we have put together a list of BYOO best practices. You can create your own BYOO policy by reviewing each area of focus and the related questions and then adding the best practices that are most relevant to your organization.
Area of Focus: Security and Application Use
What are the minimum required security controls for devices?
- Enforce industry standard security policies as a minimum: whole-device encryption, PIN code, failed login attempt actions, remotely wiping, etc.
- Encrypt sensitive computer drive data with BitLocker Drive Encryption for Windows or FileVault for Mac.
- Encrypt sensitive data in transit by encrypting your files with a password and/or using a secured channel.
- Use strong passwords.
- Establish minimum hardware/operating systems.
- Use anti-virus programs.
What additional services are available for connecting securely to the internet while remote?
- Provide a VPN solution for connecting to office resources.
- Provide a VPN service for using internet safely while on unsecured public Wi-Fi.
What are company rights for altering the device, such as remote wiping for lost or stolen devices?
- Use a Mobile device management (MDM) solution – MDM solutions provide a balance between total control for employers and total freedom for employees, offering the ability to deploy, secure, and integrate devices into a network and then monitor and manage those devices centrally.
- Consider using containerization – Containerization separates personal apps from business apps on mobile phones and is often offered in conjunction with (or paired with) MDM solutions.
When it comes to keeping devices in compliance with network security policies, what is the employee’s responsibility and what is the IT department’s responsibility?
- Create a patching education process to encourage users to update their devices.
What is the procedure for reporting lost or stolen devices? What will the company do to a lost or stolen device?
- Explain that locking or wiping the device remotely is a possibility and how their personal data can be protected.
What applications and assets are employees permitted to access from their personal devices?
- Whitelist approved applications – Blacklisting is a term that describes the process of blocking or prohibiting specific applications that are determined to pose a risk to enterprise security. Whitelisting is simply the opposite of blacklisting. Instead of blocking access to a list of specific applications, whitelisting allows access only to a list of approved applications.
What should be restricted regarding apps installed on an employee’s device?
- Deny access to certain apps or content – For instance, Apple iOS devices can be configured to deny access to the App Store, and Android devices can be configured to block the installation of apps from outside the Google Play Store or apps with inappropriate content.
Area of Focus: Support
What support is available from IT for employees?
- Implement a wiki/knowledge base employee self-service support solution.
- Revamp existing support processes to include secure provisioning and deprovisioning (wipe) of devices.
- Establish a policy regarding getting support for resolving conflicts between personal applications and company applications.
- Establish a reimbursement policy for out of warranty repairs cost.
- Introduce services that enable data sharing between BYOD devices. For example, SharePoint, Box, Dropbox for Business, etc.
Area of Focus: Human Resources
Who gets to bring their own device?
- Determine if it is open to all employees or a select few based on their job responsibilities.
Who pays for the equipment?
- Consider a monthly stipend.
- Consider a share coverage on replacement equipment cost if needed.
What is acceptable use?
- Establish policies about what type of websites are off limits during business hours, for example video streaming services, porn sites and other non-business-related websites.
- Establish guidelines for virtual backgrounds for video conferencing being appropriate for the audience.
- State that the company has a zero-tolerance policy for texting or emailing while driving, and that only hands-free talking while driving is permitted.
- Evaluate device usage scenarios and investigate leading practices to mitigate each risk scenario.
What Internet bandwidth speed is required for employee’s home office?
- Consider redundancy for important roles, for example, a secondary internet provider.
- Consider providing employees with compensation or stipend to cover cost.
- Determine minimum requirement for bandwidth speed to ensure acceptable performance.
What information you gathered will be disclosed to your employees?
- IT could implement systems that monitor the GPS location of employee devices, or Internet traffic on individual devices.
What are the consequences for not complying with the policy?
- Establish an enforcement penalty. For example, failure to comply with these policies may result in disciplinary actions up to and including termination.
BYOO policy implementation will be an ongoing process. Once BYOO policies have been implemented, they need to be reviewed regularly to ensure employees are properly using data and following security procedures. It might seem like a huge undertaking at first, but once BYOO best practices are in place, it will boost employee productivity and improve the overall function of your organization.