Message:Coronavirus (COVID-19)

Blog

How to develop a BYOD policy for your business

August 13th, 2021 by admin in ilicomm News No Comments »
How to develop a BYOD policy for your business ilicomm Technology Solutions

Why use BYOD

Workers often want to use their own laptops, smartphones and tablets to carry out their business functions. One clear advantage is that the user will be familiar with the device and will be saved the trouble of carrying both work and personal devices. It can also minimise overheads for the business relating to procurement and provisioning.

 

However, organisations should still apply proportionate security controls and monitoring to these devices if they are to be adequately secured.

Developing a BYOD policy

Once you have established your tolerance for the types of risk associated with BYOD you should start developing your BYOD policy.

Your BYOD policy should clarify both organisational and employee responsibilities. There are two stages to developing a BYOD policy. First you establish your policy goals, then you determine the controls you can use to achieve them.

 

These questions will help you develop your policy goals:

What tasks will employees be permitted or encouraged to do, from their own devices?

  • For example, you may want your employees to submit expense reports from their personal devices but not access emails.

What services will you expose to personal devices? And, what data you will expose from within those services?

  • For example, you might permit users to submit expenses to your HR tool from personal devices, but not change their bank details. Or you might permit access to the holiday booking tool, but not allow access to your sensitive financial documents store.

How much control will your employees be willing to grant you over their devices?

  • If you expect users to reject any control of their devices, your ability to manage risks will be compromised. For example, users may not like the idea of their employer being able to remotely wipe their entire device.

How enforceable are your policies?

  • If your policies rely entirely on users following specific procedures to keep devices secure, you should also consider what happens if users don’t follow those procedures, and how you might respond in such circumstances.

Enforcing your policy with technical controls

It is likely that you’ll need to develop your policy in conjunction with the technical controls you will use to implement the policy.

What types of access are permitted?
  • For example, phones with native apps, third-party container apps, web browsers – see technical approaches for more detail
What minimum standards for hardware and software versions will you enforce?
  • Older or unsupported platform versions are more likely to contain security weaknesses and lack modern mitigations which makes them harder to exploit. 
What device policies will you enforce, and how will you enforce them?
  • You may be able to enforce some policies, including minimum passcode length and preventing copy and paste between work and personal apps. You will need to check your MDM service documentation for what policies are supported on your chosen devices.
What service access policies will you enforce?
  • For example, you could use compliance policies and strong authentication to verify devices before they are allowed access to enterprise services if supported. Either way, strong user authentication including Multi-Factor Authentication is especially important for BYOD as it may not be possible to implement strong machine authentication for personal devices.
How will individual services prevent personal devices from accessing sensitive data?
  • You might want to restrict access from personal devices to certain areas of a single service. For example, you may block access from personal devices to the most sensitive internal documents within your file storage services, whilst still allowing them to access less sensitive material in the same service.
How and where will you enforce these policies?
  • They could be enforced at an authentication service, network firewall, or on specific services.

Security controls that adversely affect the usability of a device will drive down adoption and so undermine your approach.

Overly restrictive controls may even encourage staff to find workarounds, which might increase your security risk.

 

Source: NCSC.gov.uk Find out more about creating a BYOD policy

Comments are closed.

NEED MORE INFORMATION?Contact us to see how we can help your business

Call our Sales Team on:

+44 (0)121 289 3434

or email us at:

hello@ilicomm.com