BYOD: 10 Tips Enterprises Can Use to Protect Their Data
From the Start: Dont Fight It
Â This is happening whether corporate IT wants it or not, so it's smarter to start embracing it. A recent Cisco Systems-sponsored survey of 600 IT and business leaders found that 95 percent of companies allow employee-owned devices on the corporate network in some manner, with 36 percent saying they provide full support of employee devices. It's always easier to implement controls on something if you are proactive and facilitating, rather than when playing catch-up or fighting the change.
Conduct a Corporate Device Audit
Â A recent study on the global workforce by wireless network provider iPass reported that the average number of mobile devices carried by workers has increased to 3.5 devices, up from 2.7 last year. Conduct a device audit to obtain detailed laptop and mobile device information (operating system, serial number, model, version, and time stamp of last connection) for the devices your employees use right now, plus details on how often they use the device, where they access it, and so on. You might be surprised by the quantity and diversity of devices used by your workforce. Gathering details about device population makes it easier to formulate your overall BYOD approach and policies.
Conduct a Consumer Device Gap Analysis
Â After conducting a device audit, determine which devices and applications employees prefer to use. Then you can identify the gap that exists between current and preferred technology and plan an appropriate, phased strategy to bridge it.
Develop and Formalize a BYOD Program
Whether it is allowing workers to bring any type of device, requiring them to use specific programs or implementing employee agreements regarding memory wipes for lost items, formalize the program to prevent confusion. Every organization is unique, so there is no cookie-cutter approach; what is consistent is the need to meet your compliance and security requirements, regardless of which approach you implement.
Develop/Enhance Your Disaster Recovery Strategy
Â According to Symantec's 2011 Disaster Preparedness Survey, a typical enterprise experiences six computer outages within a 12-month span, with the leading causes being cyber-attacks, power outages or natural disasters. So, with the loss of data considered the worst nightmare for businesses because it can be catastrophic (FEMA figures that 40 percent to 60 percent of small and midsize businesses never reopen after a data disaster), BYOD naturally can make organizations more vulnerable to such a disaster. As part of a BYOD plan, you also must evolve the company's disaster recovery plan to encompass the special needs presented by BYOD.
Provide the Productivity Tools Your Employees Need
Â Employees use file-sharing services because they meet legitimate productivity needs. Simply banning them in your BYOD plan because of the possible security threat isn't productive or effective; employees may then opt to use rogue applications without notifying the IT department. So, be proactive: Find a solution that meets the underlying collaboration and productivity needs while also satisfying your security and compliance requirements.
Encourage Frequent Backups of Mobile Devices
Â Â Due to restrictions built into mobile operating systems, IT simply can't deploy a software agent for full backups of mobile devices as easily as it can with PCs or laptops. To guarantee mobile content is backed up, be sure employees regularly sync their mobile devices to a computer or to the cloud. One option: Schedule periodic backup reminders for employees to back up their mobile device with their desktop, laptop and/or remote servers. Another option: Create an incentive program to reward people who back up regularly.
Develop a Formal Process to Deal with Terminated Employees
Â Employees are a security risk even before they leave the enterprise. That risk is only magnified once the process of terminationwhether voluntarily or involuntarilybegins, and their devices and applications consequently need to be rendered inaccessible. You can mitigate that risk with the appropriate policies and technology. A few suggestions include recording log-in access to all internal and external IT systems with the employee's log-in name; informing external (and internal) IT vendors of the employee's departure to avoid unauthorized usage; and checking for keyloggers and malware the employee's computers and all computers to which the employee had access. The keys to success are well-established processes, check lists and attention to detail.
Review Policy Compliance Regularly
Â Conduct a help-desk data analysis at a minimum of every six months. Have devices been jailbroken? Is content secure? Is content backed up regularly, and completed either easily by or invisibly to users? Have users violated policies? Review all device activity and adjust policies as necessary.Â
Review the BYOD Program Frequently
Â As the number of mobile devices, applications and even operating systems continues to increase, revisit your BYOD program at least once per month and perform a more intensive review annually. Are new devices being used? Do the devices use any different operating systems? Are employees accessing corporate data or programs in different ways?