There’s a lot to be said about BYOD, and many authors have recommended that IT Managers and CIOs get on the BYOD bus or get left behind. That perspective holds, because, for one thing, the business isn’t going to give you much of a choice.
But when you’re in the position of gatekeeping information and information systems security for your company, you are probably well aware of the dangers unmanaged devices introduce to your network. From malware to viruses, data leakage to compromised accounts, to the need to support a million models of devices that are constantly changing, you probably see the hours you spend at work extending into infinity.
Take solace in the fact that you’re not alone. Companies which have already implemented have faced down these challenges, and companies that are in the process of implementing are advised to take note from the experience and knowledge that’s already out there. No need to re-invent the wheel, just start with what’s already been established.
Make sure your mobile device security policy is up to date. You already have devices that are non-networked that are touching your stuff. Mobile phones, iPads, possibly even home computers if you run OWA or an SSL VPN. Your existing security policy should cover those items, outlining the responsibilities of the owner/end user and the responsibilities of the company. This evaluation will vary wildly depending on your company’s practices. Do you allow ActiveSync and OWA for all users, at all times? Do you reimburse for internet access, cellular service, or insurance deductibles for damage occurring on work time? Do you even require your employees to carry insurance on their personal mobile products?
Add to your policy to cover data. It’s no secret that end users often don’t understand the security limitations of public cloud storage, let alone GMail or other cloud-based applications. Enhance your policy with an easy-to-follow, non-technical do’s and don’t’s section. Highlight the problems your business could face if a user posts sensitive company or customer data to a public cloud or app. Make sure users area aware of the risks they are taking if they think their mobile device is a safe place to troll the seedier side of the internet.
Think about the costs. Your team has to support the devices. There’s just no way around that. At least to the point of diagnosis, a BYOD device is no longer separated from the business as a ‘personal phone’ or tablet. Set appropriate expectations. If your existing volume is already putting a strain on your team, think about a mobile device management platform. If your biggest concern is security for lost/stolen devices, look at The Prey Project.
Consider your industry and corporate regulations. If you are supporting a company that is audited regularly, that has a strict IT governance, or that is subject to strict requirements like HIPPA, you are going to need to talk with your counsel before making decisions about BYOD. The risks are potentially too high for it to make sense, no matter how happy it would make your staff.