My first experience with BYOD took place over a decade ago while working at Microsoft. My coworker had asked for and been denied email connectivity to his Blackberry. I believe the only email device on the approved list was a Motorola device that routed email through their service rather than directly through the company’s Exchange Server. That meant you had to maintain two email accounts.
My tech savvy colleague went to the forums in search of a solution, and what he found was a loophole. All he had to do was setup a server in his office, install some software from Blackberry and open a few ports. He was in business for few month until IT performed a port scan. But this lesson has stayed with me for many years: employees will go to great lengths to implement solutions that make their lives easier.
Over the years, I’ve seen similar scenarios play out where employees bring devices to work while IT plays a game of Whack-a-Mole to disable it. Today, many companies have embraced BYOD. That’s not to say some still struggle with it. But I’ve seen employees and IT reach a point where they’re willing to work together and strike a balance of security and flexibility. Employees want to work on devices that make them more productive while IT wants to maintain control over their network. Both can be done.
IT will point to security as their primary concern with BYOD, and that’s what I want to discuss today. I’ve gathered a number of tips for IT to consider when implementing a BYOD program. The goal is to keep the company’s data safe while allowing employees to utilize devices that make them productive.
Have a Clear Plan
Get off on the right foot by having a clear BYOD plan to explain to new employees. Expect new employees to show up assuming they can access company email from their personal phone. If your company provides a separate device for work-related email you need to make that clear from the start. It will be a lot easier to set proper expectations from the start than to attempt to curb bad behavior down the road. You also remove any confusion about what is or isn’t allowed.
I worked for a small company that included their BYOD plan in my offer letter. Before I even showed up, I knew exactly what to expect in terms of getting my phone and tablet hooked up to company email and intranet. It’s not a bad idea to include a list of recommended devices you know have worked well for employees and IT. If you know Android phones work better than iPhone with your company’s email system, share that information as soon as possible.
On flip side, IT should also have a plan for exiting employees. They will undoubtedly have sensitive data on their devices which you’ll need to remove or confirm that it’s been removed. According to one report, only about one in three companies remove company data through remote wipe. Not taking this critical step when employees leave the company drastically increases the chance of a data breach.
What should you do if your company doesn’t have a plan? Get working on one immediately, and get your boss involved. Keep pushing until you have a plan and buy-in from management. Nothing else in this article will matter much if you don’t have a plan to fall back on.
Mandate Strong Passwords
Asking employees to change their password every 90 days may seem Draconian. Employees might complain when you don’t allow them to reuse password or require strong passwords. But it’s for their own good as well as the security of the company’s and data. The complaints should subside once the process becomes routine.
The last company I worked for required separate passwords for email and their internal tools and services. Over time, they moved those tools and email to Google Apps (now G Suite) which allowed them to move authentication to Google. IT also mandated all employees to enable 2-step verification which should result in a much safer environment.
Password related best practices include requiring re-entering a password after 10 to 15 minutes of inactivity and locking out users after three incorrect logins from a mobile device. Today’s browsers include password managers, and employees have a choice of standalone password managers such as 1Password and LastPass to choose from. IT should be in a position to speak to the benefits and downsides of using such products. The WireCutter recently reviewed a number of password managers, and LastPass ranked highest in their survey. Personally, I can’t imagine keeping track of all my passwords with 1Password.
Require MDM on all Devices
MDM (mobile device management) will help you keep company data secure while respecting the privacy of the employee. It does this by carving out separate areas on the device for company and personal data. It then allows IT to manage the company space on the device.
MDM can also help you track down lost devices and remotely remove company data if needed. Employees might consider the installation of any additional software on their devices as big brotherish. What they need to understand is that MDM is as much a benefit to them as it is to the company. That level of understanding comes through education.
I’ve read about companies creating separate WiFi networks for those employees who own devices not supported by their MDM. A better choice would be to purchase (or subsidize) the employee a new device that’s supported by your MDM.
Educate your Employees
IT often overlooks this step because they assume, if the employee owns it, he must know how to use it. I recommend treating BYOD the same way you do with company issued devices: educate them on safe and proper usage. Educate them on phishing scams, and help them to recognize them. Help them understand licensing requirements if they need additional software for their device that’s not already covered by the company. Your BYOD should include a mention of who pays for those licenses.
This might be as simple as creating an internal Wiki or SharePoint with How-To videos, best practices and helpful tips for the most popular devices. Education takes time and resources, but I believe you’ll find it well worth the effort. Most employees know how their phones, laptops and tablets work, but there are a myriad of other devices making their way into company networks today. These include smartwatches, fitness trackers and many other devices that fall under IoT. It’s best to get ahead of the curve on these new devices.
You can take a hard line and refuse to educate your users, but you’ll eventually regret it. A better approach is to accept that BYOD is here to stay. You can help your career by educating your users to exercise the best practices you’ve put in place.
BYOD is here to stay. So the saying goes: You can be part of the problem or part of the solution. Too often I see IT fight against BYOD or implement it through clenched teeth. I’ve been on both sides of the table and understand the frustration of both parties. But it can be done.
Devise a plan that works for IT and one small division of the company. Test the plan for a few months. Tweak as needed before rolling out to a larger group. Create a way for employees to provide feedback and go from there.