Allan Thorvaldesen is CEO and co-founder of Panorama9. He is a serial entrepreneur with more than 20 years experience in IT and device management. Here, he outlines ways in which to formulate an easy-to-follow Bring Your Own Device policy (BYOD policy).—Jennifer D. Bosavage, editor
When companies let employees use their own devices for work, they benefit from a more engaged workforce. The flexibility makes the organization a more attractive place to work, particularly among Gen Y and Gen X workers. Perhaps most importantly, when employees can check in from their own devices, they will be more productive and connected to their work outside of traditional office hours.
However, the advantages of BYOD policies are often tempered with security concerns and the added pressure on IT to manage and secure a mishmash of devices. Whether you or your customers have a formal BYOD policy or not, chances are employees are trying to use their own Macs, iPads, Android phones, or other personal computing devices on corporate networks.
Here are five easy ways to help maintain the security of networks and data in the new reality of the BYOD world:
1. Ensure that employees don't leave a computer open without a password-protected screensaver.
Data collected by the Panorama9 system shows that on average 23 percent of company computers are left on during the night, and 58 percent of those computers don’t have a password-protected screensaver. That means that anyone – from a co-worker to cleaning staff – is able to walk right up to one of those computers and instantly have the exact same access rights as the real owner.
Regardless of how sophisticated your firewall system, network encryption and server security, if access to an end user device is not physically secure, then your data isn’t secure. Period. Fortunately, the solution is simple and readily available. Any device used to access company data should employ a password-protected screensaver that’s available via any operating system. In addition, an IT management system can easily notify IT when an idle computer is left unlocked on the network.
2. Encrypt all employee file storage.
Along with bringing their personal iPad or computer to work, employees tend to store or share work documents on their own storage accounts such as Dropbox or Box. While that might make it easy for employees to access files from home or share a presentation with a co-worker who isn’t connected to the corporate server, it also opens the door to numerous security risks.
The BYOD policy should make sure any cloud-based file storage is encrypted. For example, Box encrypts data with 256-bit SSL when transferred to and from the Box cloud, and uses 256-bit AES for data at rest. If you find that employees are using their own personal storage accounts, you may want to provide company accounts. That way, when an employee leaves, the data stays with the company.
3. Ensure all employees have up-to-date software and operating systems.
With weekly vulnerability and update announcements, patch management is a never-ending task – one that’s made even harder when IT needs to manage critical devices across a mix of devices, applications, and operating systems.
With the rise of botnets, worms, and malicious websites, patch management has become just as important as having an antivirus solution. For example, the recent Flashback malware outbreak infected more than 600,000 Macs and resulted in two security fixes for Apple’s OS X 10.5 Leopard.
With BYOD policies, you’ve got to make sure that all devices are updated with the latest patches and have the very latest version of any third party applications such as Mozilla Firefox, Adobe Flash, or Sun Java Runtime. Best practices involve automating the update process, rather than relying on employees to perform each install.
4. Whitelist acceptable software programs that are safe for employee use.
While employees are often the best judges of what tools make their workdays more productive, they don’t always have data security and compliance in mind. Therefore, the BYOD policy must whitelist acceptable software programs that are safe for employees to use and block any software that could create security issues. That can be accomplished either by publishing an official corporate policy with a list of allowable and prohibited applications, or by automatically blocking access to unauthorized applications on the corporate network and devices.
5. Protect against packet sniffing in unsecured WiFi areas.
Enterprise mobility has been a game-changer when it comes to productivity. While mobile employees can now stay connected to the office while on the road, unsecured WiFi hotpots in coffee shops, hotels and airports leave data vulnerable. To combat the risk, load software that protects against packet sniffing onto any portable device that will access company data and applications.
Balance technology with clear company policy
IT management tools can take the headache and hassle out of important administrative tasks such as patching, inventory, availability and security, particularly when dealing with a mix of devices and operating systems. However, technology alone isn’t a complete solution. You’ll also need to create a clear company policy on how data can be shared and used and make sure that employees understand the numerous security risks and ways that breaches can happen.