BYOD Best Practices
When an organization plans to permit employees to use their own devices (mobile phones, laptops, smart watches and tablets) there are certain elements that must remain in place to keep the company -- and any client data -- safe. Not only is this good business practice, but now enforced by states laws, such as the SHEILD Act in New York and the Florida Information Protection Act of 2014 (FIPA), which mandates businesses take measures to protect and safeguard personal information. A strong BYOD strategy includes a written policy that outlines the responsibilities of both employer and user, an MDM solution to manage and control all devices and an agreement between employer and employee that acknowledges understanding and compliance with the company’s mobile device policy. Here are some Best Practices to implement while you build your BYOD strategy.
Mobile Device Management (MDM) Mobile Device Management (MDM) software allows an organization to keep company data – email, contact lists, meeting schedules, attachments, etc. -- inside a managed “container” that is separate from personal data. The container is also monitored and controlled. If the device is lost or stolen, the “container” is remotely wiped, and company data remains protected. Some MDM solutions harness the capabilities of modern mobile phones that permit dual SIM cards, which permit one phone to use two different phone numbers. It is important that the company own and control the phone number clients and vendors transact business on. MDM software is an essential tool for any business that is considering a policy that allows employees to use their own devices. Some of the more popular MMD solutions are VMware Workspace ONE, Citrix XenMoble and Microsoft’s Intune. Laptops should employ solutions, such as BitLocker, to encrypt all data on them and permit a remote wipe if the laptop is lost or stolen.
Establish Formal Security Policies
Beyond safe passwords, a BYOD policy should:
Ensure the device meets minimum specifications for security
Address how responsibility for data charges are managed
Set the auto lock of a device after minutes of inactivity
Set expectations for monitoring and deletion of data
Forbid the use of personal email address/account to conduct company business
Set the expectation that employees must surrender the device if the company requires it for legal reasons
Set rules for using the device and/or company name in social media posts and or blogs
Clarify that the BYOD policy applies to smartphones, tablets, smart watches and laptops.
Ensure an Acceptable Use Policy (AUP)
An Acceptable Use Policy is broader than a BYOD policy but remains an important part of the rules applied by a company that restricts the ways in which the network, website or system are used and sets guidelines as to how its use is intended, including restriction of certain behavior. For example: Restricts the use of posting inflammatory or offensive content using a company-controlled device. Restricts certain applications from running on devices that are connected to the company network. Restrict certain websites from a device when connected to the company’s network
Enable Two-Factor Authentication for Company Applications.
Also called multiple-factor or multiple-step verification, Two-Factor Authentication is an authentication mechanism used to double-check that the user’s identity is legitimate. Passwords are highly coveted and continuously targeted. 2FA requires two verification factors, a password and a second factor, usually an authenticator code or check on a mobile device to login. This ensures a bad actor cannot gain access with a password alone. Some Multi Factor Authentication solutions, such as DUO, will also alert you when the mobile OS on your device is out-of-date.
Use A Paid VPN (Virtual Private Network)
VPNs provide better overall security, improved performance, remote access and anonymity. VPNs encrypt data between two points, providing increased security for mobile devices. Because a VPN is an actual network, employees can access it remotely. This makes it a great resource for companies allowing employees to work from outside the office. No matter where you are, your data and information stay protected if you’re using the VPN. VPN software is inexpensive, but do not use a “free” VPN. In 2020 seven free VPN providers were found to have left 1.2 terabytes of private user data exposed online, according to a report published by the cybersecurity researchers at vpnMentor. According to the report, the exposed data belonged to as many as 20 million users. The data included email addresses, clear text passwords, IP addresses, home addresses, phone models, device IDs, and Internet activity logs. The seven VPN providers investigated by vpnMentor were UFO VPN; Fast VPN; Free VPN; Super VPN; Flash VPN; Secure VPN; Rabbit VPN
Prohibit Public Wi-Fi Use
The biggest threat to free Wi-Fi security is the ability for a hacker to position himself between you and the connection point. Hackers also use an unsecured Wi-Fi connection to distribute malware. If you share files across a network, a hacker can easily plant infected software on your device. The massive flaw discovered in WPA2, the encryption standard that secures all modern Wi-Fi networks, opened the possibility that anyone near a Wi-Fi connected device could easily access the information on that device when using Wi-Fi. Despite warnings, headlines, and efforts to educate, many people still don’t understand why connecting to free Wi-Fi is an incredibly dangerous proposition regardless of what the activity is. Most think. “It’s OK, I’m not checking my personal email or logging into my bank account, I’m just checking the sports scores,” remember anything done while connected to a public Wi-Fi network is NOT secure. Any information you share or access on these networks is as good as gone.
Train Employees on Mobile Device Security
No matter what your organization does, chances are, your employees are not cyber security aware, which is an even bigger problem on mobile devices. Phishing scams affect every employee in every business in the world. Without proper knowledge and training, some employee at some point will eventually fall victim to a phishing attack. Proper training can help employees spot the telltale signs of a scam, such as a mismatch between the account name and the email address:
Unfortunately, it’s trivially easy to spoof any email address. There are many other layers needed for a robust cyber security program across an organization and a well-planned BYOD policy is an important of that.