Implementing a BYOD Strategy: 10 Mistakes to Avoid

by Chris Preimesberger

While Apple’s App Store and Google Play provide easy distribution for public apps, you need a private enterprise app store for delivering all of the enterprise content securely—whether it is internally developed custom apps, purchased apps from ISVs, or mobile apps for access to cloud-based services such as Salesforce.com or Box. The enterprise app store presents a private mobile apps catalog that employees can use to download and refresh enterprise mobile apps. Publishing apps to your enterprise app store would allow you to containerize corporate data without disclosure to a third party such as Apple or Google, and without cumbersome approval processes.

To gain control over public apps used by employees, organizations sometimes publish a “whitelist” catalog of approved market apps and preclude all other public apps. However, this approach won’t work for BYOD, since these are personal devices. You need a more flexible, less-restrictive policy that views a whitelist only as the catalog of recommended apps and won’t automatically block all other public apps.

Organizations should blacklist and block malicious or rogue apps and malware and take immediate action to close security holes. In a BYOD environment, you’ll find many apps that may add risks or decrease employee productivity. Such apps may include cloud storage apps that may cause data leakage; social media or games that waste time or bandwidth; and apps that display offensive content in violation of corporate policy. It’s a mistake to use a heavy-handed one-size-fits-all policy and apply the same action to all these different categories of apps. Define actions for specific blacklisted app categories or apps and take a flexible approach that fits with the corporate culture for compliance management in a BYOD environment.

Since BYOD devices are used for both personal and business purposes, some companies are reluctant to use any kind of location tracking on such devices, in deference to employee privacy. However, organizations have every right to restrict the use of such devices within time and location boundaries. Location tracking can be enabled automatically at work locations or upon access to corporate networks. And “geo-fencing” restrictions on apps may be appropriate. For example, blocking apps such as Facebook at the work location but not elsewhere helps increase productivity while providing flexibility and promoting employee satisfaction.

Employees may use BYOD devices to run mobile apps to access enterprise data over the network, posing risks of data loss, data corruption or unintended disclosure of sensitive information. Lack of additional mobile access precautions for security and access control policies and mechanisms in such an environment can increase risks of data breach or loss. The starting point of securing enterprise resources rests in user authentication, authorization and access control. In some cases, app security warrants encryption of all data traffic and even wrapping apps with an additional authentication layer. Do you have such precautions in place?

If you’re going to allow BYOD devices to access corporate data, you’re going to have to put some standards in place. You don’t have to go back to the old BlackBerry-only days, but surely you cannot allow jail-broken iPhones and rooted Android devices to access enterprise data resources and expose the organization to malware and virus attacks. Standard configuration settings need to be enforced. To simplify this, you may need to restrict the types of devices supported by the BYOD program, so that you don’t end up spinning your wheels trying to support an arcane semi-smart phone. You’ll want to make sure that mandatory apps are installed and will persist even when removed by a rogue user or by a user mistake.

Enterprises put policies in place for a reason: to ensure security, protect resources, reduce risks and control expenses. Are your policies sufficient to do this? Can you detect and stop misuse, respond to violations and compliance issues, and quickly remediate? Without continuous monitoring, following up on exceptions and alerts, and automated or manual remediation actions, policy compliance can’t be achieved. Are dashboards being monitored? Are reports being generated and reviewed by appropriate personnel? Are alerts being heeded? Do you have exception handling, remediation, escalation and audit processes in place?

Basic authentication and password controls are in place, but is that enough? Are you managing passwords and enforcing policy? Have you defined user profiles with access rights and restrictions? Do you have processes in place for catching exceptions, alert mechanisms and remediation? Do you track where devices are, where they’ve been and where they are going at any point in time? Do you have the capability to lock and wipe content, apps and passwords on lost or stolen devices?

When a corporate-liable device is lost or stolen, you can remotely locate and wipe the device. But to do so to a BYOD device without employee permission would be a mistake. So how do you protect corporate apps and data on such devices? By selectively wiping the device, erasing only the enterprise apps and data–the corporate contacts in Outlook and the Exchange email, for example–and leaving the personal information intact. This also comes in handy when an employee leaves the company and you need to remove apps and data from her BYOD device.

Are you tracking how much talk, text, data and roaming usage is occurring for both corporate-liable and BYOD devices? Usage monitoring, threshold-based alerts and analytics can help uncover misuse and security exposures and prevent cost overruns due to excessive data bandwidth usage, unexpected international roaming charges and so on. After policy threshold levels are set up, you can alert users upon exceptions. You can set up policies to enable users to remediate and change plans automatically when warranted to save money on data plan and roaming overages. Through usage monitoring, you can also ensure that you are not paying BYOD stipends on “zombie” phones that show zero usage.