Bring your own device (BYOD) is the use of an employee’s personal mobile device, e.g., smartphone, tablet and/or laptop, to access a company’s data or network. Once a trend, BYOD has gained wide acceptance across businesses succeeding in today’s markets. Findings from Tech Pro Research in early 2015 indicated “74 percent of organizations [are] either already using or planning to allow employees to bring their own devices to work.” What is the main motivator for this movement? A study conducted by IBM found the main advantages of the BYOD environment were a rise in employee productivity and satisfaction as well as overall financial savings for the business. The benefits of BYOD are great, but what does it mean for the overworked IT environment already combating constant attacks on their network?
Ultimately, allowing employees to use personal devices to access company proprietary information opens the business to potential cybersecurity risks. The risk of a non-company owned device being lost or stolen, lacking necessary anti-virus software, or accessing data that is not encrypted, all leave an organization’s data vulnerable and can lead to a data breach resulting in significant financial loss. As 2016 gets underway, the discussion on the protection of organization-controlled data becomes even more relevant. With the growth of BYOD in 2015, it is not a question of how an organization can avoid the adoption of this movement, but rather how can a business mitigate the risks associated with it? To address some of these concerns, CyberSheath has outlined 3 common industry best practices to begin the process of ensuring your data is secure within a BYOD environment.
3 Tips to Secure Data in a BYOD Environment
1: BYOD Policy
For starters, employees must have permission to use their personally owned devices for business purposes. A good place to begin is with a strong BYOD policy. The policy must clearly define the organization’s expectations of its employees when using their personal devices to conduct company business. Requirements for employees, such as requiring anti-virus software on non-company devices, enforcing a two-step authentication or putting company proprietary information into secure content lockers, are guiding principles that offer increased security to an organization. Industry educational institutions, such as the SANS Institute, encourage the use of policy development and describe them as the “practical steps necessary for defending systems and networks.” Policies enable organizations to hold employees accountable for their actions.
While policies provide guidance and permission to employees, policies in of themselves do not secure the data. Encryption is one of many ways to secure data on a personally owned device. In 2015 the Office of Personnel Management (OPM) learned the hard way the importance of encryption when discovered in hearings held by the House Committee on Oversight and Government Reform that “the data stolen in the massive OPM breach was not protected by practices like data masking, redaction, and encryption.” Encryption is an excepted best practice to meet compliance regulations that require the protection of data, and as expressed in hindsight by Rep. Elijah Cummings, D-Md. at the OPM hearing, “should become the norm.”
The third most important tip for the BYOD environment is training. While having a good policy in combination with strong encryption can protect the data, training brings it all together for the employees. Training employees on policies, how and when to use encryption and secure content lockers, go a long way in the fight against data breaches. Training enforces acceptance of the BYOD policy and employees can no longer use the reason “I didn’t know how” to secure my [data/mobile device/email/document]. While the above suggestions can be implemented relatively easily properly training employees on the policy and technology to support the policy is far more cost-effective than dealing with a data breach due to an uninformed employee.
How CyberSheath Can Assist Your Organization Mitigate the Risk of the BYOD Environment?
To start, as part of our Staffing and Residency service offering CyberSheath can provide the experts necessary, whether transitioning or reevaluating your current BYOD environment, to create the policies and procedures critical to securing your digital assets.