How to Define Your BYOD Security Policy

Mobile and remote working isn’t something you can afford to ignore in today's environment. While it's understandable IT pros will be concerned about the security implications if confidential data is able to be accessed from beyond a firm's tightly-controlled network, the reality is that any attempts to crack down on this practice are doomed to failure.

Today's employees see the ability to do their job from anywhere, at any time, as a key part of their working life, not just a nice-to-have perk. This means they're going to do it, with or without official approval. Indeed, according to Trend Micro, nine out of ten people in the US use their own device for work, regardless of whether or not they're allowed to do so.

The use of personal devices in the workplace can't be stopped - but it can be controlled. Therefore, having a strong policy in place to manage bring your own device (BYOD) activities is essential if firms are to remain productive while keeping their private data secure.

Why a BYOD security policy matters

A BYOD security policy is a key part of your defenses against mobile threats, as these devices are one of your biggest risks if left unattended (both figuratively and literally).

According to Verizon, one in three organizations has suffered a data breach that involves the use of a mobile device. These items can be vulnerable to a range of issues. As well as being prone to many of the same attacks as other devices such as phishing attacks and badly coded sites, there are also mobile-specific exploits like malicious apps and rogue wireless hotspots to take into account.

This is not to mention the obvious risks posed if a device is lost or stolen. Research by Druva notes that more than three-quarters of companies don’t encrypt mobile devices, while only 35% are able to wipe a compromised mobile device remotely.

It's also essential when complying with new, stricter data protection and privacy regulations that are being put in place around the world, such as GDPR or California's CCPA. These will take any data breach seriously that’s caused by careless use of personal devices, and if firms can't show they've taken steps to minimize their risk, they could face significant fines.

What should a BYOD policy contain?

An effective BYOD security policy needs to include provisions to cover all eventualities. For starters, these documents must set out clearly what apps will be allowed or prohibited from being installed.

It's not enough to merely restrict users to using programs from approved app stores, as it can be easy for malware-infected apps to appear on these services. While Android devices are assumed to be especially vulnerable to this due to Google's less restrictive policies, Apple devices aren't immune either.

Your policy should also define what data the company will have access to, especially when it comes to wiping gadgets remotely. This will be vital when company policies may intersect with people's personal data - if you're going to insist that the business be able to perform a complete wipe of a lost or stolen device, including any personal data such as photos, you must make this explicit and ensure you have your employees' consent.

The different approaches to BYOD security

There are a few ways in which BYOD policies can be formulated to balance the competing needs of security and useability.

Whitelisting and blacklisting apps

For instance, one decision should be whether to promote a whitelisting or blacklisting policy for apps. Operating a whitelist, where only pre-approved apps can be installed, is the more secure solution, but can impact people's freedoms to manage their own device. A blacklisting alternative, where only specific apps are blocked, makes life easier for employees, but is inherently less secure.

Separating work and personal data

You should also consider how to manage the separation between work and personal data and apps, and there are several ways to go about this. For example, you could opt for a 'corporate-managed, personally-enabled' policy, which gives you complete control over the device, while allowing personal use for activities you're happy with. This is the most secure solution, but workers may be reluctant to give up control over devices they own.

Other solutions include 'personally owned, partially enterprise-managed', which lets you enforce certain policies closely, but leaves the user in charge of some key functions, or a managed container solution, where all enterprise activities are ring-fenced into a separate, corporate-controlled app. Understanding the pros and cons of each of these is vital in determining which option will work best for you.

How will security policies be enforced?

It's all very well having a clear, comprehensive BYOD security policy, but if you aren't able to effectively enforce it, it won't do you any good. Therefore, every policy you enact must be practical from a management and control perspective, and not simply rely on end-users following the rules.

This is where having a strong mobile device management (MDM) solution will be especially useful. These tools allow you to mandate minimum security requirements such as two-factor authentication, encrypt data, monitor activity and prevent users from installing unapproved apps from a centralized location.

MDM software can offer a wide range of options, from light-touch methods where workers have relative freedom to tightly-controlled approaches that make security a top priority at the expense of usability. But whichever BYOD path you go down, these technologies are a vital tool in ensuring your policies are being followed.