Scan your desk, drawers, and work bag quickly. Did you see a cell phone? A smartphone? A tablet? A non-company owned laptop? Most likely, your answer is “yes.”
If that’s the case, then your employees also likely have one. Every day these devices engage with your networks and present security threats. Although many small and mid-sized businesses allow personal devices, not all understand how to best protect their data environments from the cybersecurity threats they present. Creating an effective Bring-Your-Own-Device (BYOD) policy and monitoring employee security protects your enterprise and your customers.
Interchangeably referred to as a Bring-Your-Own-Device (BYOD), Bring-Your-Own-Phone (BYOP), Bring-Your-Own-Personal-Computer (BYOPC), and Bring-Your-Own-Technology (BYOT) policies, these documents establish security rules for employee-owned devices.
Most employees are going to bring their smartphones to work. They’ll want to connect them to the WiFi network just as they would connect any other device. What they (and possibly you as the business owner) don’t always think about is the security risk that poses. Protecting your data environment while also making sure that employees retain their privacy rights walks a difficult legal tightrope. Creating the appropriate policy for your business requires you to balance information security risks with employment law issues.
Personal devices provide employers with a constantly connected workforce. While the ability to work remotely provides employees with flexibility, it can also risk your data and your status as a compliant company.
Employees may not realize they’re storing your information on their devices. Old devices containing stored information can get lost or resold and put your data at risk. Accidentally downloaded malware can also lead to information leakage, and stolen devices may lead to stolen passwords.
Employees who terminate their employment, either willingly or not, often retain company information on their devices. Former employees present both a technical and personal risk. On the one hand, the information may be negligently compromised. The other concern is that terminated employees can also become a malicious data risk if they’re angry with the company.
Constantly connected employees make businesses more profitable in theory. However, remote access also creates an issue regarding hours worked. You need to ensure that your company is meeting fair labor requirements by tracking employee time for those protected by these laws, whether they are in the office or pulling in long hours from home or on travel.
Many states have privacy laws protecting employee social media use, even if they do it on a company-owned device. You can’t request or require access to their social media accounts and may not be allowed to access employee-protected healthcare information that could also be stored on their device.
You may prefer not to give out your network password to employees because you don’t want them connecting their devices to your corporate wireless network. However, maintaining control over the devices that connect to your networks doesn’t always protect you. Even if your employees are only using their cellular data while in your office, they can still put your information at risk.
Everyone has lost a cell phone or misplaced it at some point in time. Even if the employee recovers the device, information on there could have been compromised. Even if the employee isn’t doing work from their device, they may have texts or social media messages discussing privileged information. Moreover, many employees store passwords on their phones either through password management applications, automatically through their settings, or in notes applications. If they lose or misplace a device, they create a cybersecurity risk even if they never connected that device to your private corporate network.
Phishing, smishing (texts that link to malicious websites), whaling and other social engineering attacks compromise mobile devices as much as they compromise corporate-owned devices. These attacks place any information on the devices at risk, even information that you don’t know is there.
Employees connect to public wireless networks regularly, whether at the local Starbucks or the airport. Employees trying to speed up their connections or trying to save data put your information at risk. Moreover, the increase in the Internet of Things (IoT) use means that they are also allowing their phones to be continuously Bluetooth discoverable. Both unsecured networks and Bluetooth discoverability leave devices vulnerable to hackers trying to gain access to mobile devices.
You want to protect your data, but you also need to be aware of employee rights. All of this makes creating a BYOD policy difficult. Work devices are in your control, but employee devices may not be. To protect your information as well as your organization, you need to maintain a policy detailing employee device use and ensure employees understand their responsibilities. The following are topics covered in BYOD policies, so you can make decisions that most directly apply to your business and working style.
Defining “Acceptable Use” for your employees is the first step to creating an effective BYOD policy. Employees need to know exactly how they can use their devices in the office.
You can include a variety of uses focused on your own business needs, including but not limited to:
Your employees may either be using devices you own or the devices they own. While you can’t control the devices that your employees purchase, you can control what they bring into the office. Older devices, for example, may not have the most updated operating systems and thus open you to a security risk.
This part of the policy should provide information including but not limited to:
Having a BYOD policy also requires you to think through the implications of reimbursement, even though it is not a security issue. If you require employees to work from home or require certain devices, you also need to let them know how much financial support you’re going to offer them.
This part of the policy should incorporate at least some of the following:
If your employees are accessing your networks, then you have the right and obligation to detail your security requirements. If you don’t discuss this with employees, then they may not know the risks their devices pose.
To ensure security over personal devices, you should determine which of the following you want to apply to your organization:
You’ve protected yourself as much as possible. However, in a litigious society like ours, you need to make sure that everyone knows what you are responsible for and what you’re not responsible for.
In this section of the policy, you’re laying out your legal protections so that you aren’t sued for a variety of events including but not limited to:
Simplifying the complexities of security is our goal. Zeguro’s platform incorporated easily customizable policy templates to help you rapidly transition into a compliant organization. Our Acceptable Use template helps you create an enterprise BYOD that matches your size and information assets.
With our employee training modules, you can supplement your BYOD policy by empowering your employees with up-to-date information covering mobile device security and public WiFi threats.
For more information about ways Zeguro can help you get compliant, contact us to schedule a conversation.