The company-issued Blackberry died, and no one cared. According to a 2014 Webroot survey (PDF), 61% of companies support bring your own device (BYOD) or the use of employee-owned devices for company functions. Because we no longer control every device, how can we implement BYOD security to keep users and, perhaps more importantly, company data safe?
BYOD Preparations
Clear the Underground
Whether you like it or not, employees are using their mobile devices for company work. BYOD security is about acknowledging these uses and working together to create solutions that give the user the freedom to choose, while still protecting company interests. Rather than fighting this BYOD revolution and pushing employees into a pseudo-underground, we need to embrace this transformation and introduce approved methods for personal device use. Doing so will give us far greater control over the content that our employees are accessing and allow us to protect it.
Care about Employee Privacy
Company data is not the only thing you have to protect. According to the previously cited Webroot survey, while 74% of companies agreed that involving employees is a good way to improve security compliance, only 14% of companies “often” seek employee input on security policies. This is a huge mistake. Employees may be willing to let you apply security policies to their devices, but their privacy is just as important. Multi-national companies with operations in EMEA may even have this privacy protection mandated across their entire organizations. Work with employees to provide protection without invasion. Focus on protecting specific applications and access methods, and never, ever wipe private data without user permission.
Make Users Accountable
Protecting privacy is a two-way street. You promise employees data privacy and, in return, they should be accountable to protect company data. Set clear user policies that define employees’ responsibilities for device repair and maintenance, set password requirements, restrict blacklisted applications, and require employees to report lost or stolen devices. You should also make sure that your data is encrypted locally on device. This may require the use of application-specific silos or sandboxes, especially on Android devices where encryption is not enabled by default.
Define Access Contextually
We’ve harped on contextual access using F5 cloud security before, and that continues to be important for MDM and BYOD security. Make sure that an employee’s access is sanity checked by using role, location, and access method as determining factors.
Choose the Right Platform
Once you have talked with your employees about their needs, determined the risks that you are and are not willing to accept, and established the right policies, you need to choose a solution that will let you easily implement and manage these policies. When choosing a BYOD security solution, Dell Boomi should be on your shortlist. In combination with the F5 Networks Access Policy Manager that we’ve previously discussed, it allows granular control of company data and policies, without forcing users to give up privacy or cede control of their device to IT.