Cut BYOD Risk

    If you’ve grown tired of reading and hearing about BYOD this year, take a deep breath. 2013 is not going to slow the frenzied pace of bring-your-own-fill-in-the-blank. In fact, this last month of the year will be brutal all by itself, as employees and their families snap up all the hot, new tablets on offer. You can bet they won’t be able to wait for the official holidays to start playing, and working, with them.

    Seems like a good time to recap BYOD policy, procedure and risk management, with advice from IT Business Edge and other valuable sources.

    Embrace IT’s new role: When ITBE’s Carl Weinschenk spoke with Mimecast’s Orlando Scott-Cowley about the BYOD trend, Scott-Cowley shared that a survey conducted by his firm among IT professionals found shifting attitudes. “One interesting figure is when we asked what they felt their role is, 71 percent said they are data custodians. When we defined that they agreed that it is someone responsible for creating context for the data. IT departments now are less protective about systems and more about the data on their system. They are learning how to follow the volume of data and giving secure access to data.”

    Find out what your users like and be a copy cat: Among other good tips in this slideshow from WatchDox is this: “IT can’t simply outlaw consumer-grade services like Dropbox; instead, you must give your employees tools that mimic the interfaces with which they are familiar and give you the visibility to maintain security.”

    Get comfortable with audits: eWEEK’s Chris Preimesberger advises that corporate device audits aren’t just about who has what. You’ll be asking for “detailed laptop and mobile device information (operating system, serial number, model, version, and time stamp of last connection) for the devices your employees use right now, plus details on how often they use the device, where they access it, and so on. You might be surprised by the quantity and diversity of devices used by your workforce. Gathering details about device population makes it easier to formulate your overall BYOD approach and policies.”

    Assume users aren’t paying attention: This advice goes not only for what users are doing on their devices, but what they are absorbing from IT’s education efforts. Countless surveys this year have demonstrated that users could not care less about safer practices with their devices, and IT hasn’t figured out how to make them care. Be a trailblazer: Make them care.

    Get your partners on board: TeleSign’s Anthony Kennada says CIOs can extricate themselves from at least part of the BYOD Catch-22 by focusing on consistency in security measures. “Just as you implement policies to secure information under your direct control, you will need to ensure that any vendor handling your data adheres to eDiscovery requirements and can demonstrate compliance within regulations. Can they extend your current policies to productivity apps on mobile devices? You still need efficient access to your information for legal holds and searches, and the ability to manage audit logs in the proper format for the information they store for you.”

    Ask for help: Fixmo CMO Tyler Lessard says some companies, especially in highly regulated industries, are approaching third-party providers of mobile risk management, which is “the future of securing the mobile, BYOD work force. It focuses on protecting and controlling the corporate data, in addition to the device itself, and monitoring the configuration and integrity of devices to help IT departments assess their risk profile and make informed decisions on how they will respond to potential threats or breaches.”

    Don’t forget to cover outsiders and their devices: Depending on your business, you may provide varying levels of network access to consultants, clients or other visitors. You may provide free Wi-Fi to customers. Don’t stop doing these things, but do get a handle on who gets what, and why, and double-check that your network is locked down from unwanted access or snooping.

    And don’t forget that the bad guys are out to get you: Somebody in your company is going to have their smartphone stolen, and it’ll be soon, if trends continue. Don’t let the thief get away with any corporate or personal data.

    Create the BYOD policy that fits your needs: Unfortunately, creating the BYOD policy is not a set-it-and-forget-it proposition, but fortunately, the payoff will be extremely visible and reflect positively on IT’s leadership in this productivity-enhancing area. You don’t have to let the inmates run the BYOD asylum, as others have, and you don’t have to go it alone. Visit the IT Downloads library to download these and many more policies addressing BYOD risk issues, all modifiable for your company.

    BYOC Strategy Position Template: Is your business ready for a BYOC program? Use this strategy template to gauge organizational readiness.

    BYOC Acceptable Use Policy Template: This template is designed to maximize the privacy and confidentiality of business data, while allowing employees to use their own devices. Add this policy to your HR department’s library of acceptable use policies.

    Mobile Device Acceptable Use Policy Template: Define standards, procedures and restrictions for end users who have legitimate business requirements to access corporate data from a mobile device connected to an unmanaged network outside of the company’s direct control.

    IT Policy Enforcement Process Tool: A policy is fundamentally useless unless it is enforced. Effective enforcement requires development of specific documents that describe and govern the process.

    Personal Mobile Device Remote Wipe Waiver: With consumer technology invading the enterprise and bring-your-own-computer and -technology programs on the rise, you should mitigate inherent risks by requiring that employees consent to remote wiping of mobile devices should the need arise.

    Latest Articles