By Joy Beland

Today’s work force is all about mobility.  I know it, because I live it.  I have FIVE work devices not including my iPhone.  I work on trains, in Uber’s, in my home, at the office, at my client offices … there’s really no reason to not be connected anymore … unless I’m on vacation.  And *even then* it’s hard to unplug.  🙂

Building your own BYOD plan:

The hard thing to balance is the necessary security vs the ease of use for your staff.  It’s a conversation worth having, because coming to an agreement with the staff on what they absolutely must be able to do on their own devices, vs. what they can do at the office or only by connecting through a secure VPN, enables user buy-in.  That’s necessary so that you’re all on the same page.  Sophos did a great job outlining the considerations and structure of a plan (find this online at https://www.sophos.com/en-us/security-news-trends/security-trends/byod-risks-rewards/7-steps-to-a-byod-security-plan.aspx)

7 steps to a BYOD security plan:

Your company’s security and BYOD can co-exist. And it starts with planning. Here’s how:

  1. Identify the risk elements that BYOD introduces
    1. Measure how the risk can impact your business
    2. Map the risk elements to regulations, where applicable
  2. Form a committee to embrace BYOD and understand the risks, including:
    1. Business stakeholders
    2. IT stakeholders
    3. Information security stakeholders
  3. Decide how to enforce policies for devices connecting to your network
    1. Mobile devices (smartphones)
    2. Tablets (e.g., iPad)
    3. Portable computers (laptops, netbooks, ultrabooks)
  4. Build a project plan to include these capabilities:
    1. Remote device management
    2. Application control
    3. Policy compliance and audit reports
    4. Data and device encryption
    5. Augmenting cloud storage security
    6. Wiping devices when retired
    7. Revoking access to devices when end-user relationship changes from employee to guest
    8. Revoking access to devices when employees are terminated by the company
  5. Evaluate solutions
    1. Consider the impact on your existing network
    2. Consider how to enhance existing technologies prior to next step
  6. Implement solutions
    1. Begin with a pilot group from each of the stakeholders departments
    2. Expand pilot to departments based on your organizational criteria
    3. Open BYOD program to all employees
  7. Periodically reassess solutions
    1. Include vendors and trusted advisors
    2. Look at roadmaps entering your next assessment period
    3. Consider cost-saving group plans if practical

What apps/activities are allowed on mobile devices, and what business resources can be accessed?

Remember that just as important as who needs access to what remotely, is what should *NOT* be accessible remotely and by whom.  And how would you control this if you were managing 5, 10 or more licensing portals with the user credentials for each employee?  Do you have separate logins for DropBox, your computer network, the password management tools, QuickBooks online, your Email account, SalesForce, etc.?  How do you manage the license allocation and billing for all of these?  As you can see, it is getting cumbersome, in this age of everything being web-hosted and subscription based, to stay on top of the security needed to protect *all* avenues of access to the company data.

Microsoft has a fabulous answer to mobility and security – called Enterprise Mobility Suite.  It’s an upgrade to Office 365, which is the email and productivity platform most of our clients already use and love.  EMS can cover the basics: Remote Wipe, Remote Lock, Password Requirements, Wi-Fi Access.  Then, if you want, we can get a lot more granular to look at information protection per document or per device.  We can implement email encryption, device encryption, access to only certain applications or data from mobile devices, compliance event logging, etc.  It’s pretty robust and a dream to manage.

Next month, we’ll visit the actual policies that we have in place for our business and some caveats we have assisted our clients to implement in their policy.  But, please, think about it and plan around it – BYOD is here to stay.