Security: Your data may be secure, but what about your information? Let’s talk about BYOD.
Controlling access to your company’s data should be part of every IT security and compliance plan. But it’s time to think beyond your data and to start considering the security of your overall information as well. This blog is the first in a series that identifies gaps in your information security and gives you tips on how to fix them. We’re starting with a big and very common threat: bring your own device (BYOD). BYOD policies and employee monitoring can be key elements of that control.
In the era of cyber attacks and increasingly strict regulations on data management and corporate transparency, it’s never been more important for companies to take data storage and information security more seriously. The attack surface (every connected device opens a door into your network if not done properly) is expanding each day and if your business has sensitive company data with a high financial impact, it should be protected.
Unfortunately, employees are the number one information security risk your company faces, even when they use a work-issued device. And in our post-pandemic shift back into the office or onto hybrid work schedules, mobility and monitoring solutions have shot up to the top of many businesses’ priority lists. But there are several questions you might face: Is a BYOD policy right for us? Should a small business monitor employee personal devices? How can we keep our data safe and respect the privacy of employees? What is the proper protocol?
Is monitoring my employees even legal?
Short answer: yes. Employee monitoring is legal in the U.S., and monitoring laws give employers a fair amount of rights to monitor their employees' activities on workplace devices. The laws also apply to personal devices to a lesser extent. This is where policies such as “bring your own device” or BYOD come into play. When personal devices are used for work-related purposes, those devices can be subject to monitoring – within reasonable limits. But it’s important for a company to figure out the policy that best suits their security needs and scope of data protection. Employee monitoring is not something to approach lightly.
Is BYOD right for my business?
“Bring your own device” (BYOD) policies remain both a major opportunity and challenge for businesses, but by following the right approach to identify risks it is possible to capitalize on the benefits without adding any significant risk.
There are several reasons a small company might consider a BYOD policy. Today, smartphones and tablets have taken over the consumer market to the point that nearly every employee comes to work with their own internet-connected device. If employees are allowed to use those devices for work-related purposes, companies could see reduced equipment costs and reduced office square footage. But companies should consider whether the benefits outweigh the risks: employee-owned devices can potentially expose security vulnerabilities and that could lead to devastating cyber attacks. BYOD can also place additional responsibilities on IT departments to maintain secure networks. Companies must exert some form of control over smartphones, tablets, and laptops that aren’t owned by the company but are employees’ personal assets.
The BYOD conversation often boils down to two options for companies: either embrace BYOD policies and enact additional security measures and employee monitoring to mitigate security risks, or prohibit personal devices and find a way to enforce them. For most companies, it makes sense to embrace the BYOD trend and capitalize on the benefits.
It’s important to note that within the scope of information security, a BYOD policy and/or prohibiting personal devices from accessing sensitive data is just one part of a well-rounded security plan. Right now, the IT industry is somewhat broken. IT companies can sell and install firewalls to protect your company, but that is essentially just a Band-Aid on the problem and doesn’t address the full picture. If you don’t have an overall plan to address all the aspects of security, hackers will find another way to access sensitive information and make a mess of your business.
So, what should I do?
When it comes to monitoring employees’ using personal devices for work-related purposes, it’s important to start with education. Every employee who has access to your network – from the janitor to the CEO – needs to undergo training on cybersecurity. To be effective, topics should include:
Understanding the spread of malware across the network
Common red flags of a malware infection
In addition, your employees need to know what to do if they suspect they have been infected, from isolating their device to notifying the IT department. But the training should not stop there – consider regular training updates, video training, comprehensive testing, and periodic drills, which could all help to educate employees on security risks and safety.
Businesses should also consider a Master Data Management (MDM) solution to protect their network and data. MDM’s are software installed on employees’ devices that can stop attacks in their tracks. The software helps not only to monitor but manage and secure devices. They are capable of being deployed over multiple service providers and operating systems, which is helpful when implementing a BYOD policy.
MDM software allows IT staffers to push updates to mobile devices automatically, perform screen takeovers and remote maintenance, install two-factor log-in authentication, and so much more. MDM software solutions also allow companies to take a more advanced and targeted approach when employees exit the company and sensitive data needs to be retrieved or wiped from personal devices. Previously, Legacy MDM systems wiped entire devices but current systems have evolved to wipe only the necessary data.
A solid MDM strategy can eliminate several security issues that come with employees using personal devices for work-related purposes.
It’s not easy knowing what the right answer is, but having all the right resources will help you create an informed decision on the policy your company should take. At the end of the day, we live in a modern world and employees need to practice safe Internet protocols, no matter what device they’re using, and the key to that is a healthy dose of prevention and education.
For many companies, it can be very difficult to enforce outright bans on personal devices, and instead, they consider BYOD and MDM solutions. Care and due diligence must be taken to create BYOD policies that clearly outline acceptable usage, employee exits, risks, liabilities, and disclaimers – as well as outlining what the MDM software can and can not do. Companies should evaluate MDM platforms to understand if it fits their specific policies and security needs. And business owners should be aware of privacy laws and be careful to respect the data privacy of their employees.
At the end of the day, BYOD and MDM are only as useful as their implementation; they will only succeed if they are executed fully and properly. BYOD policies and monitoring employee devices are just two small aspects of overall information security. This blog is just scratching the surface, and many users are duped by vendors and manufacturers who sell “easy” and “cheap” security solutions. Everything that is considered a connected device is another way for hackers to steal information, and if your most sensitive data is compromised, you could lose your business. Information security should not be taken lightly so be sure to get an IT partner that takes the time to get to know you and does a full connected device discovery before they try to sell you any hardware or software.