Why Data Backup is Essential
Data is the lifeblood of any small or medium-sized business (SMB). Especially as we continue to rely more and more on digital systems,...
As a provider of IT and security solutions, we are always surprised when an older topic like BYOD receives new attention. As of late, we have had several questions about whether to allow personal laptops and devices access to the network. We firmly believe businesses have a choice in whether or not these devices be given access to the network. But, unlike most articles around BYOD, we are taking the approach that not all devices are the same. We suggest you categorize laptops and personal devices such as smartphones and tablets into two separate categories. In this blog, we hope to leave you with a guide that provides practical and relevant advice on how you can implement a BYOD policy that addresses both categories, and aligns with the way your team accesses the network.
BYOD, or Bring Your Own Device was a term first coined back in 2009 when CIOs were starting to feel pressure as personal devices flooded the workplace. At that time Blackberry revolutionized the way we checked email, the iPad was hot on the market and Android was picking upstream. The surge of new devices led to employees bringing more smartphones and tablets to work, which IT was continuing to allow without much support.
“Bring your own device (BYOD) means the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smartphones) to their workplace, and use those devices to access privileged company information and applications.-- Wikipedia
Fast forward ten years. Every employee comes to the office with a smartphone or some type of personal device. Many employees expect to be able to connect their device (laptop, smartphone, tablet) to either the company WIFI and/or network. The line of business managers further propagates this on-demand expectation by using their own devices to download apps and SaaS products, often bypassing IT altogether.
Here in lies the problem. How does a small business implement and enforce a BYOD policy that addresses the use of personal devices on the network while protecting customer data?
In the interest of avoiding the initial investment required to purchase laptops for every employee, companies are encouraging their team to work from their personal devices, especially in the case of sub-contracted, part-time or seasonal workers. Employees need access to the internal network (data, applications, printers, etc.) to work. The question every employer eventually has to ask themselves is whether the cost savings of allowing employees to bring their own devices outweighs the risk of allowing non-company devices to be introduced to the network and ultimately to your customer data.
BYO-Device should not be a catch-all policy. Not all devices represent the same security risk.
Smart devices and tablets are consumption tools, and employees tend to use them for a variety of reasons. Smartphones, if requiring access to company WIFI, can be logged into the Guest WIFI avoiding direct access to your network. Additionally, the smartphone does not come with a Windows operating system, and therefore does not typically circulate viruses and other security threats to the network…yet!
By contrast, a laptop is a working tool. It must access the network and internal resources to enable the employee to do their job. Once access is granted to a personal laptop, it then becomes a platform that introduces risk to your network, and where there is risk, you are forced to defend against it.
Employees will ask, “What could go wrong? I am only using my laptop to check my email and access Dropbox files.” And if you were Neo from the Matrix and you could see what was really happening inside the machine, it would look something like this:
Checking email and downloading Dropbox files from that personal laptop just opened a host of new risks that could have been avoided.
Smartphones and tablets are not completely off the hook when it comes to data breaches. They allow employees to use network passwords to download information on apps like Dropbox and Box. If the employee uses a smart device to connect to their email and the email is deleted, the company contacts still remain on the smart device. Which raises a couple of red flags: In the event that the device is lost or stolen...
IT has a solution, but it is often not a popular one. Remote wipes allow IT to remove all information and data remotely. This means it removes all data, including the employee’s pictures, contacts, and all personal information. Remote wipes may be necessary, but painful for the employee who lost months, maybe years of personal photos.
“Geez, you might be thinking. What a grim picture you have painted.”
True. But the good news is that there are preventative steps a business can take to avoid having to remote wipe.
1. Create an Acceptable Use Policy.
An Acceptable Use Policy is a set of guidelines outlining an acceptable and non-acceptable use of personal devices on the network.
We recommend that all employees and subcontractors be required to sign this agreement prior to employment. Having an employee sign before coming on-board pays big dividends for smooth employee exit policies down the road. Chances are you won’t have a problem, but in the case that parting is hostel, you are protected.
2. Have Each Employee Sign a Personal Liability Document
When it becomes necessary or beneficial for the employee to use their own device, the Personal Liability document establishes network use “standards” that assign responsibility and transfer liability to the employee when accessing the network. For example, this document could require employees to do any of the following:
Establishing a standard set of policies for accessing and using the network will keep your network running at peak performance and gives everyone on the team a clear understanding of their own responsibility as it relates to maintaining a secure and high performing environment.
3. Communicate the Benefits to Your Team
Last, but not least, communicate the benefits of your BYOD policy to your employees. Adoption of these policies will be better received if the policies are communicated clearly. Getting employees to sign Agreement Use Policies and Personal Liability documents ensure everyone is onboard and provides a layer of protection to the business.
The demands on quicker internet, instant access to applications and tools, and remote access to the network will only continue to grow. Simple BYOD is being replaced by a broader set of mobile capabilities that enable the workforce of the future. According to Lifehacker and business tech author, David Laird, “BYOD is morphing into BYOx – a new trend that takes the focus away from the specific device employees are using. It’s not just a question of phones and tablets anymore. Content, wearables, and apps are all part of the BYOx spectrum. Moving forward, this will be the area that demands the most attention from a security perspective.”
Employees are bringing their own devices to work. Personal devices can compromise customer data. Valuable business information is being downloaded, dragged and dropped onto personal smartphones, tablets, and laptops. IT guidelines are difficult to enforce after the fact, and putting a policy in place upfront is your best defense against lost and stolen data due to personal device access on your network.
At MicroTech Systems, we- like you- leverage technology every day and rely on it to do our job. Our friendly support team is eager to assist and speaks in a language everyone understands. If you need help ensuring your data is secure with a BYOD policy in place, do not hesitate to pick-up the phone and connect. We are here to help. [Let’s Connect]