The DynaSis Educational Series for C-Level Executives
BYODevice to Work While allowing (or requiring) employees to use their own smartphones, laptops and tablets has definite advantages for both employees and employers, there can also be serious pitfalls that must be addressed.
More and more employees are bringing their own devices to the workplace. This can be a benefit to employees, in that they don’t have to carry two phones, two laptops and/or two tablets, and a benefit for the employer, who saves the cost of equipping employees with a full set of mobile gear. In fact, it is currently estimated that 50% of companies insist (tacitly, perhaps, in that they don’t provide the devices) that employees use their own devices…and up to 78% at least allow it. Employee use of their own devices has become realty, making proper planning and execution vital. Advantages for the employee You might think that requiring employees to use their own devices would cause resentment. Actually, it turns out that most are happy to use their own equipment. First, as we said above, they really don’t want to carry around multiple devices. Second, they prefer the devices they have chosen for themselves. Their personal devices have the technologies they like and they are comfortable with using them. Conversely, in some cases, being forced to use company provided equipment comes with a steep learning curve. If you use a Samsung Android phone, you probably don’t want an iPhone, no matter how good it is. If you grew up on a Mac, switching to a PC can be painful. Additionally, your employees are probably upgrading their devices faster than your company would be, and the devices they buy are probably more cutting edge than those you would have provided, so you, as the employer, ___________________________________________________________________________________________
1
The DynaSis Educational Series for C-Level Executives ____________________________________________________________________________________________ are getting the benefit of this newer, better equipment. Additionally, since your employees are using equipment with which they are comfortable and enjoy using, it is likely that they are more productive. After all, it can be very frustrating when a new employee, who owns a top-quality laptop, is forced to use a three-year old handme-down machine because it still works (just barely) and looks like its last user was a feral cat that thought it was a scratching post. Concerns of the employee, real or perceived But, while your employees are getting the benefit of not having to carry multiple devices, as well as being able to use devices of their own choosing, there are also potentially negative reactions that you may have to deal with. First, your employees may feel a loss of privacy. As the employer, you will want the right to review company data stored on the device, but unless you are equipped to partition company data from personal data, the concern over loss of privacy concern may be real. (More on partitioning later.) Can internet access be monitored? How about tracking the movements of each employee, knowing exactly where they are through GPS tracking. Software can monitor where they are and what they are doing with the device, and while this may be acceptable in some circumstances, in others it can be considered truly intrusive. GPS tracking: intrusive or appropriate? Protection of their personal data is another employee concern because some BYOD policies give the employer the right to totally wipe devices clean to protect company data, the personal data being collateral damage. There have also been many cases of “wiping” being inadvertently triggered because of too many guesses at a forgotten passcode (even by the owner), or other over-reaching company policies. This includes mandatory “wiping” when an employee resigns or is terminated. To avoid this, employees should be shown how cloud backups can protect their personal data, and this should be verified before the device is wiped clean. Additionally, it’s one thing to ALLOW employees to use their own devices, it’s another to REQUIRE it. Although many employees prefer it this way, for others it can lead to a sense of resentment. Now, we are not saying you shouldn’t require it, just be aware of this possibility and be ready to deal with it. Explain the benefits both employer and employee will receive, and the employee protections the company has put in place. Advantages for the employer You are saving the cost of the devices. This can add up quickly because it is not only the cost of buying and maintaining the equipment, it is also the monthly subscription fees. (Note that if someone’s work requires a subscription he/she would NOT have purchased on their own, such as WiFi for a tablet, the company is responsible for reimbursement. And, yes, it is reasonable for an employer to ask an employee to use his/her phone, etc., for work and NOT pay the monthly fees, as long as there is no additional cost to the employee.) The Challenges The media tends to get tired of almost any type of news event, so although reports of breaches, losses, intrusions, etc., were common for a while, these situations have become so commonplace that the only ones __________________________________________________________________________________________
2
The DynaSis Educational Series for C-Level Executives ____________________________________________________________________________________________ that make the headlines these days are those that are truly major. For example, the WannaCry ransomware attack of May, 2017, was just such an event, affecting 100,000 companies in 100+ countries. But it’s not likely that an attack against your company would hit the airwaves (or internet), even if it locked down your entire network, destroyed all your data, and put you out of business. The point is, just because you don’t hear about it, don’t believe the danger isn’t real. It is. And many of these events began because of the failure of, or lack of BYOD policies. Locate, lock & wipe / Granular selective wiping One of the most significant security threats is the lost or stolen device. As we have alluded to earlier, any decent BYOD policy must include Mobile Device Management (MDM) software that can locate, lock and wipe data from lost or stolen devices. Today’s best MDM programs will include “granular selective wipe” which allows the administrator to selectively wipe only corporate information, including passwords and documents, leaving the device current in terms of its owner’s data and passwords. This is important because many employees, upon learning that their devices might be subject to a total “wipe”, strongly object to their phones and other devices being enrolled in the program. Even with this selective wiping, employees often show concern over loss of control. It is one thing to insist that an employee follow your “acceptable use” policy when using a company owned device, but it’s another when the device is owned by the employee. Nevertheless, this policy is important. Keep this in mind: more than 90% of cyber-attacks begin with employee failure, so the rules must be followed, no matter who owns the device. Acceptable Use Policy We will be going into more specifics of acceptable use policies on page 5, but below are some of the basics. Additionally, your MDM vendor and your IT service provider should have templates you can use to define a policy that best suits your company, but among the concerns that might be addressed are: • The company’s right to limit or deny access • The requirement that all devices be registered with IT prior to permitting access. • The security measures that must be employed prior to gaining access. • The company’s right to inspect devices manually or through technology • The secure data management procedures that are required. • Password requirements • Physical security to prevent devices from being lost or stolen • Lost or stolen device protocols • Restrictions on reconfiguring devices that are used under an Acceptable Use Policy • Restrictions against modifying company owned hardware or software • Company auditing of devices • Non-compliance policies Companies need to be concerned about security, support, and even who pays for the devices. ___________________________________________________________________________________________
3
The DynaSis Educational Series for C-Level Executives ___________________________________________________________________________________________ We’ve put together this list of general considerations for creating a successful mobile device policy (Specifics will follow.): Start with a pilot program Mobility is a core technology competency in today’s modern business and must be looked at not just as a simple convenience, but as an important strategy for a company’s growth. If your company is going to include BYOD as part of that strategy, then you should start with a pilot program that can be tweaked and improved upon, then rolled out to the entire company. Involve all constituents BYOD presents real challenges that can affect operations, legal, finance, HR, etc. Make sure that representatives of all these departments, along with technical, are “at the table”. Employee training In today’s treacherous cyber environment, we believe in serious and real-world employee training whether a company institutes a BYOD policy or not, but when it does, that training becomes even more important. If your employees don’t know what is expected of them and the consequences of not abiding by the policy, you cannot expect success from the program. Seeing into the future Mobile devices and platforms have evolved quickly and steadily over the years and there is no reason to assume this trend won’t continue. You need to be working with an MDM vendor or managed IT service provider that is equipped to handle these changes, because they are most certainly coming. Look beyond device-level security Multiple layers of defense are important. While you want to protect against threats to the device itself, chances are you aren’t always going to be successful, so your network protection must accommodate this. BYOD means more support You may be thinking a reason for instituting a BYOD program is the savings it will bring by not having to buy mobile devices for your employees. While that may certainly be true, do be aware that your people are going to need support and providing that support will likely offset a certain amount of those savings. And there may be additional costs We do believe that the net bottom line of a good BYOD program will result is significant savings for the company, but be aware that the program may trigger a need for new infrastructure technologies and/or licensing costs. Be aware of industry specific security requirements Think PCI, DSS, HIPAA, or GLBA. There may be others, depending on your industry. Provide easy access for those on the program If your goal of a BYOD program is to save money, but your team has trouble accessing the files and applications they need, is the program really cost-effective and successful? Or is it doomed from the start? ___________________________________________________________________________________________
4
The DynaSis Educational Series for C-Level Executives ____________________________________________________________________________________________ Key Policy Features Finally, let’s take a look at the pieces that go into making up a good BYOB policy, considering both employee and employer, as well as the cyber-security and technology challenges that must be addressed. Understand that we are not suggesting that every company adopt exactly the same policy. Your company is unique, as is every other company, so set the policies that work for you. •
It must be understood that any employee who uses their own devices are subject to company Acceptable Use Policy terms. (For clarity: an Acceptable Use Policy covers ALL devices, whether company owned or employee owned. The BYOD policy specifically addresses employee owned devices.)
•
Your Mobile Device Management platform, whether handled by an in-house IT team, or a managed service provider, should have the ability to create a virtual partition in each employee’s devices, with the employer not having access to the personal data. This will separate personal information from company information which accomplishes several things: 1) company data can be removed without affecting personal data. 2) The company can establish whatever security protocols it deems appropriate. 3) It gives the employee a sense of privacy in knowing that his information remains private.
•
There are a great many devices out there today and you may want to set parameters about which will be allowed and supported.
•
Set parameters as to what company data will be accessible by whom.
•
Who will be allowed to use their own devices? Everyone? Or are you going to set this up based on classes of employees, work requirements, or something else?
•
There are considerations for NOT allowing hourly non-exempt employees to use their phones during offhours for responding to business related texts or emails. While this may seem limiting from a business perspective, allowing this may open you up to being required to pay overtime, so discuss with your HR department. Your MDM software should be able to enforce this restriction, if you so desire.
•
A registry should be set up to keep track of those personally owned devices authorized to be used for business.
•
It is important that the employee be informed of the employer’s right to access, monitor and/or delete company information from personal devices, and the circumstances (e.g. termination, data breach) under which this might be necessary.
•
Employees should be informed if they will be subject to GPS tracking, and why and when it will be used.
•
Let your employees know how personal information will be protected and if any personal information will be saved to company servers during company backups.
•
Let your employees know about your policies that involve “wiping” of devices and if personal
___________________________________________________________________________________________
5
The DynaSis Educational Series for C-Level Executives ___________________________________________________________________________________________ information will be affected. Tell them how you distinguish between personal and corporate information (remember the virtual partition mentioned earlier.) Advise them how they can save and protect their personal information. •
Advise them when and under what circumstances they may be required to surrender their devices for inspection and removal of records. Inspection may include e-discovery prior to and during civil and criminal trials and during government investigations. Again, this is all made easier with the right MDM software and IT team.
•
Require strong passwords that are changed on a regular basis.
•
Require automatic locking following defined periods of inactivity.
•
Require antivirus and other protective software be installed.
•
Require regular backups.
•
Establish policy for immediately reporting lost or stolen devices
•
Establish a protocol for approval of work-related software as well as other downloadable files.
•
Encourage cooperation between your various inoffice constituencies including IT, risk management, legal, HR and operations.
Inter-departmental cooperation works wonders
Yes, it’s a long list. Most likely, not everything applies to your company and for many companies it may even be tempting to just ignore the whole thing under the mindset, “We haven’t had any problems until now, so…” Be smart. Do what you must to keep it that way. DynaSis has been serving the small to mid-sized business community of Metro Atlanta since 1992. During that time, we have worked with great clients in a wide number of fields including construction, property management, healthcare, legal, manufacturing, distribution and many others. Our team of more than 55 I.T. professionals provides 24 x 7 x 365 helpdesk support, network security, mobile device management (MDM), DynaSis Business Cloud and on-premises backup, business continuity, and disaster recovery. To learn more, please call us today at 678-373-0716 or visit www.DynaSis.com. ___________________________________________________________________________________________
6
The DynaSis Educational Series for C-Level Executive ___________________________________________________________________________________________
http://www.informationweek.com/mobile/mobile-devices/make-byod-work-9-key-considerations/d/did/1114021 http://www.pcworld.com/article/246760/pros_and_cons_of_byod_bring_your_own_device_.html https://www.entrepreneur.com/article/243546 https://hbr.org/2016/05/tracking-the-trends-in-bringing-our-own-devices-to-work https://www.shrm.org/hr-today/news/hr-magazine/Pages/0216-BYOD-policies.aspx http://www.pcmag.com/article/342695/the-best-mobile-device-management-mdm-software-of-2016 http://www.zdnet.com/article/how-to-make-byod-work/ http://www.businessnewsdaily.com/4526-byod-bring-your-own-device.html http://www.informationweek.com/mobile/mobile-business/when-byod-equals-bring-your-own-malware/d/did/1113915?itc=edit_in_body_cross
7