Information technology, like nature, abhors a vacuum. Witness what’s filling the void created by swirling Bring Your Own Device (BYOD) security issues.
As employees use their personal devices to share information through public clouds or social media often courtesy of a public Starbucks Wi-Fi, IT vendors are busy promoting tools and technologies to manage the risk.
True, mobile device management (MDM), virtual private networks (VPNs), and virtual desktops are proving themselves to be a critical piece of the enterprise mobile security environment. But as anyone who’s faced change management challenges knows, all the leading-edge technology in the world doesn’t guarantee success. You’ve got to consider the human part of the equation, too.
For BYOD policy matters.
As noted in “Enterprise Mobile Security: Rock Solid or at Risk,” it’s important to develop a sound policy that address device standards, IT management and support, acceptable use guidance, financial responsibilities, operational security, and legal implications. Within this framework, the policy needs to address not only technology, but also organizational accountability, awareness, and communications with employees and other system users.
The article lays out some key components of a solid BYOD policy:
- Device use – Define what devices will be allowed. Typically these are Apple’s IOS, Google’s Android, and BlackBerry and Microsoft devices.
- Authentication – Add layers of security beyond user names and passwords. Devices should have digital certificates installed and support end-to-end encryption through a VPN. Your organization should be able to track the user’s identity, device, and location – and keep a record of access.
- Remote wipe – Use remote wipe software in case the device is lost or stolen – or the employee leaves the company.
- User data – Spell out who owns and controls what data, including files and images.
- Apps – Provide employees with a list of apps that are allowed – as well as those that may not be used. Restrict only those apps that pose a clear security risk.
- Approval procedure – Remember that the mobile environment is not static. Offer a procedure for approving new devices and apps.