Page 1 of 2
Whether or not bring your own device (BYOD) policies save companies money or cost them more is still being debated, but one thing is certain: These policies increase complexity while decreasing direct control over data.
Few employees are walking into a Sensitive Compartmented Information Facility (SCIF) each morning, where their devices are confiscated for the day. Pandora's box has been opened; mobile devices are freely roaming your customers' halls. Our objective is to help you instill the hope that an effective containment and management strategy can be implemented. Following are five recommendations for solution providers who need to help organizations quickly assert control in a BYOD world to more effectively manage technical and human risk factors.
[Related: To BYOD Or Not To BYOD: Is Your Own Business Secure?]
Firm Up BYOD Policies
Review your clients' BYOD policies and ensure they include provisions for remote wipe and remote application management capabilities, the right to confiscate and search devices, and the right to dictate which applications are allowed and prohibited. These policies should be cleared through the legal team to make sure that language is adequate, and that it will work in all applicable jurisdictions. For example, IBM earlier this year banned access to Apple's Siri application, as well as access to Dropbox, for company-managed devices. It is important that BYOD policies allow such rules to be implemented and enforced.
In addition to helping customers write strong policies, it is also important to ensure there is a mechanism for resolving disputes, such as those related to privacy concerns. Users will be understandably concerned if their private devices are seized. Providing a method to secure copies of personal information, as well as a way to protect other pieces of private information (e.g., nonwork text messages, email and instant message logs) will go a long way toward easing those concerns.
Similarly, it is important to make it clear to users any legal obligations businesses have when reviewing these devices, such as in the case of uncovering potentially illegal materials. Don't forget to include provisions for unmanaged devices too. Just because a user does not wish to participate in the officially sanctioned BYOD program does not mean that their device is innocuous. On the contrary, unmanaged devices represent a blind spot that may represent even greater risk to businesses than those people willingly agreeing to follow the rules.
Apply Technical Controls
It is important to build on strong policies by implementing technical controls, such as mobile device management (MDM) and mobile application management (MAM) solutions. Where possible, enforcing device encryption and passwords will help reduce associated technical risks. Improving access management requirements, such as by mandating two-step or two-factor authentication, can further help reduce the risk of a lost device immediately leading to a data breach.
NEXT: Limiting Use And Holding Accountability
1
|
2
|
Next >>
