Limit Approved Applications And Uses
Reminiscent of "acceptable use" policies of yore, BYOD policies should include explicit guidance on acceptable behavior and uses. Application whitelists and blacklists should be leveraged to back up these explicit instructions. Fortunately, many cloud applications have evolved to include enterprise versions that afford better control over devices and data. For example, most major cloud-based, file-sharing services now provide enterprise versions that allow better direct management and segregation of corporate data, as well as supporting reasonable secure collaboration.
From a legal perspective, be sure to review all licenses for cloud-based applications to ensure that data is handled responsibly in those environments. Review of these agreements should follow the same review and approval process that would be normally used when considering outsourcing partnerships. Providers can help businesses make quicker, better-informed decisions by clearly stating standard practices up front, rather than playing games using obscure legal language and obtuse SLA descriptions.
Implement Next-Generation ET&A
The technical landscape is changing very rapidly. It is unreasonable to think that simple annual security awareness training is remotely useful for addressing concerns like those inherent in BYOD policy implementation. The good news is that you can help your customers develop modern education, training and awareness (ET&A) programs to provide users a more meaningful perspective on the rules, and effectively remind them of their obligations and the cost of noncompliance.
Modern ET&A programs should:
1) Clearly state the expected level of performance.
2) Clearly state the rationale for the requirement.
3) Clearly state the cost of noncompliance.
These programs should then integrate assertive, proactive components that include simulated attacks against users (e.g., phishing awareness training) and random review of devices to evaluate compliance with policies. These programs must walk a fine line between being respectful and being inappropriately intimidating. The desired outcome is to explain to users what is required of them, why those requirements have been levied (e.g., include a clearly expressed business risk analysis) and what sort of consequences can result from noncompliance, both for the business as well as for themselves. It is typically undesirable to instill a culture of fear among the user population, but it is wholly appropriate to make people aware of the risks and consequences. Human risk factors represent one of the most challenging areas for risk management programs to control. An effective risk management program must find ways to address human risk factors as well as technical concerns.
Hold Users Accountable
It is imperative to establish a culture of accountability as part of an effective risk management program. BYOD policies provide a front-line opportunity to implement and enforce accountability requirements. Policy violations must be documented, and remediation must occur -- even if that means having to terminate personnel. All the technical controls in the world do no good if a user can walk into an environment, copy sensitive data to their device, walk out and cause a data breach. Include representatives from HR and Legal to ensure that BYOD policies have teeth. Otherwise, your customer's environment will be at the whim of their weakest -- or most malicious -- links.
It has quickly become irrelevant whether or not personally owned devices will be inside corporate environments. As such, the next best step is to work assertively to manage the technical and human risks endemic to these new threat vectors. A combination of stringent policies, assertive technical controls and proactive management of human risk will help control liability while allowing organizations to optimize integration of BYOD policies as part of standard business practice.
- The Massive SaaS Opportunities For VARs
- A Reseller's Guide: Recipe For Channel Partnership Success
- Cloud Connection: Seven Steps To Effective Public Cloud Services
- From CapEx To OpEx: Channel Strategy In The Federal Push To The Cloud
- A Reseller's Guide: Coming Out On Top In The Face Of Channel Conflict
- How To Create A Case For Disaster Recovery Plan
- How To Offset Your Customers' BYOD Risks
- How To Ease Client Anxiety About Private Cloud Deployments
- How An SMB Cloud Provider Can Create 'Swagger' In A Competitive Market
- A Reseller's Guide: Creating A Successful Solution Provider Event
- How to Prepare for the Future of the IT Solutions Industry
- How to Consolidate Data Protection Services for Greater Customer Value
- 10 Attributes to Support Revenue Marketing and Sales Success.
- How To Improve Efficiency: Upgrade Mountain Lion and iOS6
- How To Cash In On the Cloud Through Collaboration
- How To Sell Cloud Storage In Five Steps
- How To Protect High-Value Data Assets
- Moving Data to the Cloud: Options for SMBs and Small Enterprises
- How To Apply Big Data Security Analytics to Detect Advanced Threats and Breaches
- How To Get Customers To Invest In New Technology Through Leasing