Getting Onboard with BYOD Security: Part 2 How to Do it Right

Four steps that will jump start BYOD at your business

In part one of this BYOD series we presented reasons for why  you should support a BYOD security policy at your company. There are a lot of great reasons but these four bubble to the top whenever the topic of BYOD comes up:
  • Saving money (between $300-3000 per employee per year)
  • Increased productivity and employee satisfaction (34% bump in productivity and 87% increase in employee retention)
  • Employees are probably doing it already (between 30-50% of employees already use personal devices for work)
  • Ease of use and adoption (which is what this post is all about)
In this post we’re going to cover the four things you need for a successful BYOD program:
  • Setting up BYOD security policies
  • Setting and communicating expectations and responsibilities
  • Education on why you’re doing it and how it will work
  • Choosing the right Mobile Device Management (MDM) platform for your company
As we talked about in the previous post, because BYOD use is popular, there are a lot of examples to follow from other companies. We have learned over the years what makes a successful BYOD program—and what doesn’t. The most critical parts to a successful program are these first three points. Getting policies, expectations, and education right make the technical part of BYOD (the MDM) simple. These three factors are the foundation for BYOD and will determine the success of your implementation. They affect  the benefits (productivity and engagement), the risks (security, privacy, and data loss), and how everything fits together. We’ll start off simple with setting your BYOD policies.

1. Setting BYOD security policies that work

Getting Onboard with BYOD Security: Part 2 How to Do it Right 1

When you’re drafting your BYOD policies keep the end goal in mind—you want employees to follow the policy so you everyone can reap the benefits and mitigate the risks. BYOD policies—keeping in mind people started using personal devices at work before you made it official—need to balance flexibility with security.

Above all else, employees must know that these policies are designed to protect their privacy, company data, and customer privacy. Those are three things you cannot compromise on. According to BYOD and mobile security experts here are the main things you need to cover (via 3Points and DMS Technology) :

  • Permitted devices: If your MDM doesn’t support iPhones, and most of your employees use iPhones, that’s not the right choice for you.
  • Approved apps for company data storage: For example, can you store company files on Google Drive or Dropbox?
  • Password policies: Not only how complex passwords are, but using different ones and how those passwords are managed through an app.
  • Employee departure: How to deal with data employees have on their BYOD and what to do with it when they leave.
  • Additional device security measures: Such as device password brute force protection, passwords for apps and email, and secure app features.
Managing all your productivity apps will be a post for another time, but it’s important to keep in mind the example of the United Nations. The UN accidentally shared passwords and other sensitive information stored on a variety of cloud-based tools and they didn’t know until the news broke. Why? No one was monitoring what apps people where using in the UN. It is easy to sign up and start using these tools without oversight from IT. Setting policies and expectations is key to establishing a secure BYOD program and is a good first step in preventing this type of scenario from happening to your company. It’s easy to get extremely detailed  when creating a BYOD policy, but to start, we suggest you cover the basics on devices, apps, and security and work on other issues as they come up. Your BYOD policy should be flexible, adaptable and grow with your company so you continue to gain the cost savings and productivity gains that come with the program. With a policy in hand, it’s time to start setting people’s expectations.

2. Set BYOD expectations early

Getting Onboard with BYOD Security: Part 2 How to Do it Right 2 There are two parts to setting BYOD policy expectations at your company:
  1. How you expect employees to use the devices for work and how they will protect company data.
  2. How employees are expected to balance work and life when they literally have work in their pocket all the time. It’s easy for people to forget how sensitive company information is and it’s just as easy to slip into the habit of checking work emails all the time. Everyone needs boundaries and BYOD is no exception.
One of the first and most important expectation you need to instill in employees is they need to protect company and customer data on their devices. Employees need to remember company data is just as private as their own information. Employees wouldn’t want their banking information made public, and you don’t want sensitive company information made public either. Protecting information goes beyond not leaving your phone unlocked out in the open or being careless and losing your device, protecting information means:
  • Refraining from downloading suspicious apps
  • Keeping your phone updated
  • Using strong passwords to lock the device.
  • Knowing basic email phishing practices.
As you move from policy to expectations to education with employees, you can make it clear what it means to carry work data around all the time. Access to work data and apps on your own device does make things easier, but it also comes with a responsibility to protect that data as well. And because you have access to work apps, email, and files at the tap of a finger, it’s easy to never disconnect from work. Say you have a moment of quiet on the weekend, what’s the harm in checking an email or two?

The harm is never fully recharging to give your best at work. The harm is always working and not living.

Yes, it’s tempting as an employer to email in the evening or over the weekend, but it’s essential for employees to have a healthy work-life balance. Just because you can check that email or catch up on some chats in the company Slack channel doesn’t mean you should.

3. The more you know—education is key

Expectations naturally flow into education. Why are we using an MDM on our personal devices? Because an MDM platform creates a secure connection between your phone and our data, confidential information doesn’t leak out:
  • You don’t have to worry about company files or emails being intercepted when you’re using free WiFi (not that you should use free WiFi without security—but that’s a topic for another day). Evil Twin hacks are very real.
  • Why shouldn’t we download that free version of the cool app that usually costs $5? Because it’s probably a fake app with malware that is just posing as the real app.
  • It’s important for employees to know the risks, the real risks, when using their personal devices for work. Helping people understand how your BYOD policies are going to help protect their personal data as well as company data makes the transition from informal to formal BYOD security practices much easier.
BYOD security policies are designed to make using personal devices at work safe and secure for everyone. It’s not just convenient. It’s not just to be more productive or save money. Formalizing BYOD means everyone needs to make sure they have passcodes on devices. They don’t keep a list of company passwords with their shopping list on their phone. It’s realizing that every new productivity tool or file sharing service or project management app comes with the risk that the sensitive data you put in might leak out somehow. The last thing to stress is while security and privacy risks are real, they can be managed. The internet is not a wild and dangerous place with danger behind every link. There is bad stuff out there, but a little education goes a long way to avoiding it.

4. Finding the right MDM for you

With the foundation for your BYOD program set (policy, expectations, and education) it’s time to put the technology part into place—a Mobile Device Management (MDM) system. An MDM is comprised of two parts:
  1. App management of what’s installed on employees’ phones
  2. The server software to manage the devices.
Most MDMs work the same way with server and app parts to the system. Some MDMs are designed for large companies with hundreds of devices, but there are a few MDMs that specialize in helping small to mid-sized enterprises manage devices and get a handle on BYOD security. Getting Onboard with BYOD Security: Part 2 How to Do it Right 3When you’re looking at MDMs, here are some of the things you should consider:
  • Types of devices supported: If most of your employees have iPhones and iOS isn’t supported by the MDM, it’s not going to work for your company.
  • Types of apps  included: Beyond just managing and securing the device, are there secure apps for email, chat, and file sharing? Do the apps support collaboration? If the goal of BYOD is improved productivity, your MDM needs to offer tools to help people work better together.
  • Ease of installation: The best situation is when employees can install the software themselves by clicking a link and downloading an app. Anything more complicated is going to take longer to deploy and could be frustrating and time consuming.
  • Additional IT expertise: Do you need extra IT resources to set up and support it?
  • Customer care on-demand: Can you get support from the MDM company when you need it? If things go wrong, will there be someone there to help you?
  • Cost: Cost shouldn’t be the only factor to make your decision, but how much an MDM costs is important. You need to find an MDM that gives you the features you need, can grow with your company, and be affordable too.
After you choose an MDM service, getting started should be very easy. An ideal flow will look like this:
  1. Your employees will be emailed a link to enroll their devices on the MDM.
  2. Employees click the link—it’s important to let them know the email is coming and it’s okay to click the link—and download the MDM controller app to their phone.
  3. This app registers their phone on the MDM and then creates a secure area on their device for the other workplace apps like secure email, secure chat, and secure file sharing.
  4. Employees will need to enter a special password to get into their new work apps, but the benefit is extra security and protection for company and personal data.
  5. On the employer’s side, the administration area allows a company to add new devices, manage devices connected to the MDM, and, if an employee loses a device, delete the work information remotely.
Some MDM systems allow companies to control what can be downloaded on the device and even if functions like the camera work. For BYOD, these kinds of restrictions aren’t always practical, but the options are there if needed.

Having BYOD security policies is great, and an MDM brings it together

If you are going to support BYOD security policies at your company, you need an MDM to ensure devices and data are protected. BYOD will save you money and make employees more productive, but those gains can’t be at the cost of security. Policies and education will only get you so far—technology brings everything together and makes the whole system mesh. If you’d like to learn more about the SKY WORK MDM solution for SMEs, get in touch with us and we’ll show you why SKY WORK is the right choice for businesses that want to get down to business not get tangled up in IT.