Most organizations I work with have adopted a Bring Your Own Device (BYOD) policy for mobile devices.
Why staff use personal devices for work
The reasons are pretty simple and might go something like this:
- All our employees already have their own smartphones,
- We don’t want to pay for another device, and
- We don’t want to make our employees carry another device, so
- We’ll just ask them to use their personal device for work.
In some cases, the company will reimburse the employee for part of their phone/data bill. In other cases, they won’t. Regardless, the general expectation is that employees will check email and calendar using their personal device. Less frequently, employees are expected to also view or even edit documents using Google Docs, MS Office, Dropbox, or similar.
But what about mobile security?
Naturally, the organization needs some way to protect the data accessed on those applications.
- What if a personal device gets lost or stolen?
- What if an employee’s roommate picks up the phone?
- What if the phone gets a virus?
Let’s say we were talking about a company-owned laptop. In that case, the solution is simple: harden the computer, install company-managed antivirus and firewall, lock down operating system, manage backups, and so on.
But since we’re talking about a personal device, we can’t just do it. We have to find a balance between letting the employee do what they want with their own device and safeguarding organizational data.
4 levels of BYOD security
Organizations can approach this conundrum with different ‘levels’ of security. Your organization will have to decide which one is right for you and your staff. These options are crafted with Exchange (or Exchange Online) in mind.
- Basic: Allow any personal devices, but require the following minimal security controls: 4-digit passcode, encryption, and full wipe after 10 unsuccessful unlock attempts. Additionally, staff must be aware that IT can remotely wipe the entire device under certain circumstances. Most organizations I work with adopt this policy due to its minimal effect on usability.
- Intermediate: Allow any personal devices (with similar security controls as above), but only allow use of the Outlook app (as opposed to the ‘native’ mail, calendar, and contacts applications). This restricts access to corporate data to a single application, and allows the user to simply delete the app if all corporate data needs to be removed. The user also does not have to give remote wipe access to IT. However, it does require the user to use separate applications, preventing a ‘unified’ view of personal and corporate contacts (for example).
- Higher: Explore third-party Mobile Device Management (MDM) solutions to further lock down data exfiltration (for example, prevent copy/paste from email). MDM solutions add another layer of administration, but enable more control over the device. Some examples of recommended controls that require MDM include: not allowing jailbroken devices, controlling location services, and controlling personal hotspot. MD isn’t usually adopted by companies since it requires users to relinquish even more control over their devices to IT, but I have seen it implemented in industries where security is of high concern (e.g., finance sector, defense).
- Highest level: Implement MDM with no BYOD option. In this case, companies are required to provide mobile devices to any users who need them to perform their jobs, in the same manner laptops are issued. The companies I work with (typically with 30-300 staff) rarely choose this option due to the increased administration and costs involved, as well as the big usability ‘hit’ to end users (i.e., having to carry multiple devices).
As with everything security related, organizations must find the right balance for staff usability and data security. Think about the risk involved and take it from there. If you don’t have critical data in your mail server, you might be able to get away with a lower-security approach. If all your secrets are in email, or if a breach would cause a PR disaster, consider upping your game.
A version of this article originally appeared on my personal blog.
- To assess your organization’s cybersecurity risk,download our infographic and see what threats may be lurking in your BYOD or other policies and practices:
- Find out what's included in DelCor's own comprehensive cybersecurity assessment for associations and nonprofits.