Implementing a BYOD Policy on Your Network
BYOD seems to be one of the hottest topics in IT security right now. Every day I read about new concerns which can arise when employees access networks with their own devices. From what I experience the adoption of BYOD is on the increase.
We need to look at ways of securing mobile devices and educating users on best practices for using them. It can be very challenging implementing policies which ban the devices completely; someone somewhere will have a very compelling need for using mobile devices when they are out of the office. A properly secured mobile device can become a very useful business tool.
New technologies have also come online which promise to do everything from detecting to blocking mobile devices on your network. There are two main things to focus on for BYOD. Firstly you need to be aware of what devices are connecting to your network and secondly you need to understand what they are been used for. A number of vendors have developed products that claim to be able to detect mobile devices on your network. If you are considering getting something in this space, I would recommend that you check if the solution can also report on what data is been copied to these devices.
You then need to understand why mobile devices are used in the first place. For most people it means the ability to access their work email when they are away from the office. For others it means the ability to access ERP and customer management systems. It is important to check if the mobile applications store any local data.
One of the biggest problems with BYOD is what happens when the devices leave your network. A device that is loaded with company data and emails is very dangerous if it were to fall into the wrong hands. Most mobile devices come with basic security features like password and gesture locks. However most people do not enable these and when they do they use very weak passwords and typing in long passwords on a small screen is time consuming. The inbuilt security features of mobile devices should also be treated with caution as bugs and flaws can be found with them. An example of this was a bug with the way a smart cover could be used to unlock an iPad 2 when running certain versions of the Apple iOS.
You also have the problem of what becomes of the data on mobile devices when an employee leaves their job. In the past you handed back your laptop and your logon account was disabled when you moved on to another job. I don't think it will be well received when you ask an employee to hand over their smart devices so that they can be erased.
If you are going to allow BYOD on your network, the task of educating employees on best practices for securing their devices should be a top priority. Complex passwords to unlock devices should be mandatory and try to spot check if users are adhering to this policy. If you have to give users access to business applications, try and use web portals as much as possible. Web portals avoid the need to store local copies of data on mobile devices. You should try and ensure that once a user disconnects from your network no company data remains on their device. A mobile device should be a window for looking in on your work, not a local copy of your work.
Do you have any recommendations for securing mobile devices on networks? Comments welcome.
Darragh Delaney is head of technical services at NetFort. As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service. Follow Darragh on Twitter @darraghdelaney