While many large companies have no problem with issuing laptops, smartphones, and tablets, other organizations have fewer options. When it comes to small businesses, non-profits, and educational bodies, there is often less budget to go around.
With this, many people often need to bring their personal devices to work. Here’s why that can raise a few issues, and what you can do about it.
Pros and Cons of Allowing Personal Devices at Work
For years, the standard practice for many corporations is to issue devices to their employees. These devices safeguard companies against various security, liability, and data leaks. Having separate work and personal devices also helps create work-life balance, an increasing concern for remote workers prone to overwork.
However, while the onboarding process can be more straightforward, assigning company-issued devices can also be quite bureaucratic.
Many companies that issue devices often struggle with long approval processes for procurement, replacement, and issuance. These processes can severely hamper productivity for organizations that need to be the most agile.
Alternatively, there are also several advantages to having employees bring personal devices to work. Aside from the obvious savings in terms of purchasing the actual devices, companies can actually save time and effort.
For example, people used to a particular operating system will not need to learn a new one for work purposes.
By aligning with existing usage habits, companies lessen the possibility of a steep learning curve. With this, employees can be more productive from the get-go in ways that would not be possible with all company-issued devices.
Security Tips for BYOD Policies
So if your company decides to ask employers to bring their own devices, here are a few tips that you can follow to keep things professional.
Company Guidelines Onboarding
When it comes to any policy, most of its success is in its communication to the relevant parties.
Regardless of size, your company should have clauses written into employee contracts about data security, data theft, legal holds, and surveillance practices. You may also invest in a company email address for every employee allowed access to official documents.
Companies should dedicate a portion of their onboarding process to the expectations of professionalism from employees and be transparent about the kind of surveillance they can expect in and out of the company network.
Authentication Procedures
The number of employees who would willingly commit corporate espionage or steal company data is the minority.
But the number of employees who unknowingly make weak passwords, use the same passwords for everything, and lend their personal/company devices to friends or family members is much higher.
To protect against both malicious intent and unfortunate ignorance, companies need to take multiple steps. First, you need to teach your employees the importance of personal security practices such as data decentralization and password strength.
Second, you need to build into your procedures regular password changes and mandatory re-authentication processes when employees are out of the office for too long. In particular, remote workers, sales teams, and anyone who works outside the office are the most vulnerable.
Authentication should not only apply to laptops or tablets. It should also apply to smartphones, email addresses, internal apps, or any system exposing company information regularly.
Network Limitations
As with any security threat, you are only as safe as your weakest link. For companies with Bring Your Own Device (BYOD) units, the chain needs a lot more strengthening.
As a general rule of thumb, access to critical information should be severely discouraged for external devices.
Host all external devices on a separate VLAN with a tightened intrusion detection system to avoid intrusion. Also, use a combination of network-based and host-based intrusion detection systems. Your company network should be able to identify odd behavior such as increased packet sizes, traffic loads, or encrypted data attacks.
Unfortunately, there is no one-size-fits-all approach to the ethics of employee surveillance on personal devices. Depending on the nature of your business, the sensitivity of the data may require timed screenshots, file limits, automatic log-offs, and so on.
Network limitations should further undergo routine evaluation as the needs of your company changes with growth. At some point, you may need to integrate multiple VLANs, introduce stricter authorization procedures, or add firewall protections.
IT Off-Boarding
While every company will have its off-boarding procedures, poor processes for companies who bring their own devices are recipes for disaster, especially when an employee leaves on bad terms.
Good security off-boarding procedures minimize the chances of confidential data leaks. They also improve overall company data hygiene practices and prevent loss of institutional data.
A good IT off-boarding process looks at what kind of data employees have, where they keep it, and what it can be used for. Companies should conduct intent mapping for exiting employees and flagging those joining competitors or starting competing businesses.
Lastly, be sure you remind employees of the legal risks involved with stealing data during their exit interview to discourage any pending actions.
Balance Convenience and Security
For small offices, network limitations don’t always feel necessary. However, small offices with big dreams still need to future proof security practices. It is always good to prepare your organization for scale by protecting your data from the very beginning.
BYOD is the reality for many small businesses, non-profits, and less established organizations. While it has never been as affordable or easy to start a global business, it is also never as risky in terms of security. With a shorter learning curve and a less bureaucratic onboarding process, BYOD is still a risk worth taking for some companies.
For this reason, you should be mindful about how much you allow access to critical information that can make or break your business. It should be made clear to everyone on your teams how important it is to practice good data security practices, even when using their personal devices.
Company policies are only the tip of the iceberg. With the increasing use of cloud software, storage, and communication channels, the window of opportunity for hacks becomes more evident every year. For BYOD to work, everyone needs to be vigilant in and out of the office.