Protecting Confidential Information as BYOD Programs Expand

October is National Cyber Security Awareness Month, when the National Cybersecurity Alliance shines a spotlight on internet safety and encourages individuals and organizations to remain vigilant about information security. This year’s theme, “Do Your Part. #BeCyberSmart,” urges everyone to own their role in cybersecurity and continuously strive to keep themselves and their data safe.

National Cyber Security Awareness Month presents a prime opportunity for your organization to review its cybersecurity efforts. With remote work becoming more prevalent, a critical area that warrants examination is how you handle bring your own device (BYOD) trends. Although some organizations choose to have more informal BYOD arrangements, this can put a company at risk because staff may not understand which devices they can use at work and how to secure them sufficiently. For this reason, it is essential to craft a clear, comprehensive BYOD policy and keep it up to date. 

What Is Bring Your Own Device (BYOD)?

BYOD is a workplace policy that lets employees use their personal technology, including smartphones, tablets, laptops, wearables, and other devices, on the job. Many companies are embracing a BYOD strategy, and the market for BYOD solutions, including smartphones, is expected to grow across the next four years, reaching about $430 billion by 2025.  

BYOD policies can be particularly effective for small to medium-sized businesses that can benefit from the potential cost savings of allowing employees to use their own devices. Additionally, some employees may feel they work more efficiently and effectively on a familiar device, including employees that frequently work while on the go. In many cases, BYOD can lead to greater flexibility and employee satisfaction, while helping reduce IT costs.

Despite the benefits, there are also risks associated with BYOD. Since employees use personal technology to access company information, data security issues, including cybersecurity risks and inconsistent protection for physical devices, can cause problems if not proactively addressed.

How to Implement a Comprehensive BYOD Policy

To take advantage of the benefits of BYOD while mitigating the risks, your organization must balance employee freedom with information security. A well-considered BYOD strategy can ensure you maintain the appropriate balance. Here are several tips to keep in mind when thinking through a BYOD program.

• Develop a corporate BYOD policy.  Defining the rules for BYOD in your organization is an important first step.  How will BYOD devices be granted access to corporate applications and data?  What security controls will be implemented?  How will compliance to the policy be monitored and enforced?  It is important that employees receive regular training on the policy and acknowledge that they will comply with it.    
  
  
• Invest in cybersecurity tools and apply them universally. Solutions that limit data access and theft risk include mobile device management software, anti-virus software, firewalls, and two-factor or multi-factor authentication. Your organization should use these tools for any equipment it owns, as well as any BYOD machines. You should also consider using encryption when sharing sensitive information electronically to prevent theft or loss. Enabling automatic software updates for cybersecurity solutions is helpful to ensure protections remain current, but this is not always possible with BYOD equipment. Consequently, you should have a process for sending out regular alerts to staff when they need to install critical patches or updates.
  
  
• Create a checklist when onboarding new devices. This should cover steps for installing mobile device management, anti-virus software, enabling multi-factor authentication, setting up security settings, and so on. Not only can this serve as a reminder for staff on what they should do to prepare their device adequately, but it can also help you document what safeguards are in place.
  
  
• Control access to sensitive data. Restricting who has access to confidential company information can help reduce the risk of theft. You should provide additional training to employees who have been granted access, so they know how to protect this information on their personal devices. Alternatively, you may want to restrict the use of personal devices for employees who have access to confidential information.
  
  
• Offer comprehensive staff training. Whether your employees use their personal devices or those provided by the company, they should receive extensive cybersecurity training to recognize and avoid potential threats. Key topics to cover include how to spot a phishing attack and what to do about it, the risk of downloading malicious apps, the importance of password hygiene, and how to protect devices when logging in from public places. Training should also address what to do if a device is lost or stolen, which may be more common since employees are using their devices at home, at work, and while commuting between the two. In addition, staff should be instructed to regularly back up their devices (or have automatic backup capabilities) so that any locally stored data is not permanently lost if a device goes missing or is stolen.
  
  
• Caution employees about risky apps. Not all apps are safe or appropriate for the workplace. Providing staff with a list of potentially harmful apps to avoid can encourage employees to steer clear of ones that could cause problems. Likewise, you may want to recommend that all app purchases be done through the Apple App Store or Google Play, further reducing the risk of problematic apps that could increase the chances of inappropriate data sharing or theft.
  
  
• Have a process for destroying old and outdated equipment. When employees get a new device, they often put the old one in a drawer, give it away, or throw it in the trash. Any of these options can put your company’s sensitive information at risk, even if the employee wipes the device. Wiping, erasing, or reformatting electronic equipment, such as a hard drive or cell phone, doesn’t completely remove the data, and forensic software programs exist to recover the information. To reduce the likelihood that data in legacy technology ends up in the wrong hands, your organization should have a process in which outdated or unused equipment is securely destroyed. A professional document destruction company like Shred-it can help with this effort. We use shearing or crushing to entirely destroy devices that are no longer needed, and we guarantee a chain of custody from the moment we pick up the equipment until it’s destroyed. An itemized Certificate of Destruction includes the device’s manufacturer name and serial number, so you can easily keep track of which equipment was destroyed. Once rendered unusable, we recycle devices to reduce the volume of material heading to landfills. Employees should be aware of this process and know when and how to bring legacy technology into the office for proper destruction.

Establishing and maintaining a secure mobile device policy is just one important step in protecting your company’s confidential information. Learn more about how Shred-it can help you improve overall information security.