Best practices for implementing a successful BYOD programme

How can you ensure your organisation remains secure when adopting a Bring Your Own Device policy?

Charlotte Trueman Dec 19th 2018 A-A+
Best_practices_for_implementing_a_successful_BYOD_programme.jpg

Mobile phone usage is still on the rise, with the global number of users expected to surpass 5 billion in the coming year.

Throughout Southeast Asia, mobile phone users make up 90% of all internet users and on average, people in the region spend longer on their phones than their American counterparts.

This smartphone explosion means it’s of little surprise that so many organisations have already adopted a Bring Your Own Device (BYOD) policy – a practice where employees are allowed to use their own devices for work related purposes.

Beyond the obvious financial benefits, a BYOD policy can also help remote workers and improve productivity amongst those with a more flexible working schedule.

However, the success of this strategy relies on it being implemented correctly, with concerns around security often being the most cited reason amongst organisations who are yet to adopt a BYOD policy.

With that in mind, here are a number of best practices to help ensure your company remains secure whilst benefiting your employees.

Make sure your policy is clear

The first and most important thing you need to do when implementing a BYOD policy is to make sure its clear. If there is any vagueness or grey areas, your employees might accidentally exploit a vulnerability that could cause your organisation to have its security compromised.

From day one, employees need to know what they can and can’t use their devices for, what an IT support team can do for them if an incident occurs and what devices will be included in the policy – different devices have varying levels of security, meaning some are more vulnerable to risk than others.

Having a clear policy not only eliminates a constant back and forth between employees and management about what is and isn’t allowed, it also helps to address potential security and privacy risks.

Security first

When it comes to personal devices, users are usually laxer about keeping it secure. While most people have a passcode on their home screen, it’s very unusual to have two-factor authentication in place for a device allocated for personal usage.

While increasing device security might be seen as a headache for some, if your device has sensitive, work-related information and data on it, upping the security stakes must be seen as non-negotiable.

Your organisation should also conduct a mobile risk assessment to identify any possible dangers and vulnerabilities; ensure networks are secured and implement a policy that ensures passwords are both complex and routinely changed.

We’ve mentioned it before but no matter how much money you spend on your security strategy, human error is still the most common cause of a data breach. Therefore, you need to ensure every employee only has access to what is necessary for them and keep the relevant people informed if this changes.

However, security isn’t just the responsibility of management, you also need to…

Educate your staff 

It’s vital that your staff are included in all dialogues revolving around potential risks and changes to your security policy.

If staff don’t understand why they’ve got to follow certain protocol – two factor authentication for example – they’ll be less inclined to do so.

Comprehensively educating them on security risks from the beginning not only saves you time in the long run, it is also one of the best ways to prevent a potential incident. Make sure everyone working in your organisation understands the importance of using strong PINs, secure networks and data encryption, as well as making regular backups and not clicking on suspicious links.

Ensure usage is consistent

If you want your policy to be successful, you can’t have one rule for your employees and another for management.

It doesn’t matter how important someone is, if your organisation has decided to implement a company-wide BYOD policy, then everyone must know the rules and stick to them.

This is another reason why it’s important that your policy is clear – so no one has an excuse for deviating from it! However, in order for usage to remain consistent, you must first ensure that it actually suits the needs of all those who will be partaking in it.

Make sure you consult with every team before determining your final policy. This way you can make sure it fulfils everyone’s requirements and minimise the issue of employees feeling like they are unable to support it.

Have an employee exit plan

The potential for a man-made security disaster always rears its head again any time you have an employee leave. If they’ve been using their own device, how can you ensure that access tokens have been revoked and sensitive data has been deleted?

Having a set plan in place can help your organisation deal with this problem; removing their access to a network should be made almost instantly. This information then needs to be sent to system administrators, so they can ensure the network remains both up to date and secure.

Wiping company-issued devices and disabling company emails and accounts also stops ex-employees from continuing to have authorised access and helps to keep sensitive information protected.

Best practices for implementing a successful BYOD programme

How can you ensure your organisation remains secure when adopting a Bring Your Own Device policy?

Charlotte Trueman
Best_practices_for_implementing_a_successful_BYOD_programme.jpg

Mobile phone usage is still on the rise, with the global number of users expected to surpass 5 billion in the coming year.

Throughout Southeast Asia, mobile phone users make up 90% of all internet users and on average, people in the region spend longer on their phones than their American counterparts.

This smartphone explosion means it’s of little surprise that so many organisations have already adopted a Bring Your Own Device (BYOD) policy – a practice where employees are allowed to use their own devices for work related purposes.

Beyond the obvious financial benefits, a BYOD policy can also help remote workers and improve productivity amongst those with a more flexible working schedule.

However, the success of this strategy relies on it being implemented correctly, with concerns around security often being the most cited reason amongst organisations who are yet to adopt a BYOD policy.

With that in mind, here are a number of best practices to help ensure your company remains secure whilst benefiting your employees.

Make sure your policy is clear

The first and most important thing you need to do when implementing a BYOD policy is to make sure its clear. If there is any vagueness or grey areas, your employees might accidentally exploit a vulnerability that could cause your organisation to have its security compromised.

From day one, employees need to know what they can and can’t use their devices for, what an IT support team can do for them if an incident occurs and what devices will be included in the policy – different devices have varying levels of security, meaning some are more vulnerable to risk than others.

Having a clear policy not only eliminates a constant back and forth between employees and management about what is and isn’t allowed, it also helps to address potential security and privacy risks.

Security first

When it comes to personal devices, users are usually laxer about keeping it secure. While most people have a passcode on their home screen, it’s very unusual to have two-factor authentication in place for a device allocated for personal usage.

While increasing device security might be seen as a headache for some, if your device has sensitive, work-related information and data on it, upping the security stakes must be seen as non-negotiable.

Your organisation should also conduct a mobile risk assessment to identify any possible dangers and vulnerabilities; ensure networks are secured and implement a policy that ensures passwords are both complex and routinely changed.

We’ve mentioned it before but no matter how much money you spend on your security strategy, human error is still the most common cause of a data breach. Therefore, you need to ensure every employee only has access to what is necessary for them and keep the relevant people informed if this changes.

However, security isn’t just the responsibility of management, you also need to…

Educate your staff 

It’s vital that your staff are included in all dialogues revolving around potential risks and changes to your security policy.

If staff don’t understand why they’ve got to follow certain protocol – two factor authentication for example – they’ll be less inclined to do so.

Comprehensively educating them on security risks from the beginning not only saves you time in the long run, it is also one of the best ways to prevent a potential incident. Make sure everyone working in your organisation understands the importance of using strong PINs, secure networks and data encryption, as well as making regular backups and not clicking on suspicious links.

Ensure usage is consistent

If you want your policy to be successful, you can’t have one rule for your employees and another for management.

It doesn’t matter how important someone is, if your organisation has decided to implement a company-wide BYOD policy, then everyone must know the rules and stick to them.

This is another reason why it’s important that your policy is clear – so no one has an excuse for deviating from it! However, in order for usage to remain consistent, you must first ensure that it actually suits the needs of all those who will be partaking in it.

Make sure you consult with every team before determining your final policy. This way you can make sure it fulfils everyone’s requirements and minimise the issue of employees feeling like they are unable to support it.

Have an employee exit plan

The potential for a man-made security disaster always rears its head again any time you have an employee leave. If they’ve been using their own device, how can you ensure that access tokens have been revoked and sensitive data has been deleted?

Having a set plan in place can help your organisation deal with this problem; removing their access to a network should be made almost instantly. This information then needs to be sent to system administrators, so they can ensure the network remains both up to date and secure.

Wiping company-issued devices and disabling company emails and accounts also stops ex-employees from continuing to have authorised access and helps to keep sensitive information protected.