Bring-Your-Own-Device (BYOD) Best PracticesThat Fit Your Small Business
Small businesses have a choice to make. Option 1: Provide employees with a company device and ensure complete control of data, with ability to wipe it if ever lost or stolen. A company device also means control of the phone number, ensuring clients don’t contact a competitor if the employee leaves for another company. The downside, of course, is cost and management responsibility of the contracts and device upgrades. Option 2: Allow employees to use their personal devices to conduct company business. This is a less expensive option, but still requires management and control over any company and client data that my exist on the phone. Here is how to do it right. When an organization allows employees to use their own devices (mobile phones, laptops, smart watches and tablets) there are certain elements that must remain in place to keep the company -- and any client data -- safe. Not only is this good business practice, but now enforced by state laws, such as the SHEILD Act in New York and the Florida Information Protection Act of 2014 (FIPA), which mandates businesses take measures to protect and safeguard personal information. A strong BYOD strategy includes a written policy that outlines the responsibilities of both employer and employee, an MDM solution to manage and control all devices and an agreement between employer and employee that acknowledges understanding and compliance with the company’s mobile device policy. The Best Practices that contribute to an effective BYOD strategy are as follows: Use A Mobile Device Management (MDM) Solution
Mobile Device Management (MDM) software allows an organization to keep company data – email, contact lists, meeting schedules, attachments, etc. -- inside a managed “container” that is separate from personal data. The container is also watched and controlled. If the device is lost or stolen, the “container” is remotely wiped, and company data stays protected.
Some MDM solutions harness the capabilities of modern mobile phones that allow dual SIM cards, which means one phone with two different phone numbers, one personal and one for the company. It is important that the company own and control the phone number clients and vendors perform business on. MDM software is an essential tool for any business that is considering a policy that allows employees to use their own devices. Some of the more popular MMD solutions are VMware Workspace ONE, Citrix XenMoble and Microsoft’s Intune. Laptops should employ solutions, such as BitLocker, to encrypt all data on them and allow a remote wipe if the laptop is lost or stolen.
Establish Formal Security Policies
Beyond safe passwords, a BYOD policy should:
Ensure the device meets minimum specifications for security
Address how responsibility for data charges are managed
Set the auto lock of a device after minutes of inactivity
Set expectations for monitoring and deletion of data
Forbid the use of personal email address/account to conduct company business
Set the expectation that employees must surrender the device if the company needs it for legal reasons
Set rules for using the device and/or company name in social media posts and or blogs
Clarify that the BYOD policy applies to smartphones, tablets, smart watches and laptops.
Ensure an Acceptable Use Policy (AUP)
An Acceptable Use Policy is broader than a BYOD policy but is an important part of the rules applied by a company that restricts the ways in which the network, website or system are used and sets guidelines as to how its use is intended, including restriction of certain behavior. For example: An Acceptable Use Policy restricts posting inflammatory or offensive content using a company-controlled device, restricts certain applications from running on devices that are connected to the company network and restrict certain websites from a device when connected to the company’s network. All of this ensure dangerous websites are not introduced to a company network by an employee who decides to surf inappropriate content.
Enable Two-Factor Authentication for Company Applications
Also called multiple-factor or multiple-step verification, Two-Factor Authentication is an authentication mechanism used to double-check that the user’s identity is legitimate. Passwords are highly coveted and continuously targeted. 2FA requires two verification factors, a password and a second factor, usually an authenticator code or check on a mobile device to login. This ensures a bad actor cannot gain access with a password alone. Some Multi Factor Authentication solutions, such as DUO, will also alert you when the mobile OS on your device is out-of-date.
Use A Paid VPN (Virtual Private Network)
VPNs offer better overall security, improved performance, remote access and anonymity. VPNs encrypt data between two points, supplying increased security for mobile devices. Because a VPN is an actual network, employees can access it remotely. This makes it a great resource for companies allowing employees to work from outside the office. No matter where you are, your data and information stay protected if you’re using the VPN. VPN software is inexpensive, but do not use a “free” VPN. In 2020 seven free VPN providers were found to have left 1.2 terabytes of private user data exposed online, according to a report published by the cybersecurity researchers at vpnMentor. According to the report, the exposed data belonged to as many as 20 million users. The data included email addresses, clear text passwords, IP addresses, home addresses, phone models, device IDs, and Internet activity logs. The seven VPN providers investigated by vpnMentor were UFO VPN; Fast VPN; Free VPN; Super VPN; Flash VPN; Secure VPN; Rabbit VPN
Prohibit Public Wi-Fi Use
The biggest threat to free Wi-Fi security is the ability for a hacker to position himself between you and the connection point. Hackers also use an unsecured Wi-Fi connection to distribute malware. If you share files across a network, a hacker can easily plant infected software on your device. The massive flaw discovered in WPA2, the encryption standard that secures all modern Wi-Fi networks, opened the possibility that anyone near a Wi-Fi connected device could easily access the information on that device when using Wi-Fi. Despite warnings, headlines, and efforts to educate, many people still don’t understand why connecting to free Wi-Fi is an incredibly dangerous proposition regardless of what the activity is. Most think. “It’s OK, I’m not checking my personal email or logging into my bank account, I’m just checking the sports scores,” remember anything done while connected to a public Wi-Fi network is NOT secure. Any information you share or access on these networks is as good as gone.
Train Employees on Mobile Device Security No matter what your organization does, chances are, your employees are not cyber security aware, which is an even bigger problem on mobile devices. Phishing scams affect every employee in every business in the world. Without proper knowledge and training, some employee at some point will eventually fall victim to a phishing attack. Proper training can help employees spot the telltale signs of a fraud, such as a mismatch between the account name and the email address:
Unfortunately, it’s trivially easy to spoof any email address. There are many other layers needed for a robust cyber security program across an organization and a well-planned BYOD policy is an important part of that.
Roark Tech Services is an expert in setting up BYOD policies and cybersecurity best practices. We are well positioned to make the best suggestions and recommendations for our clients when it comes to making the right decision for any small business. Always consult with us first. If you don’t have an IT Partner that you can trust to give you the right support and advice, we’d love to help. Contact us.