Technology never stops moving. Last month's devices, never mind last year's, can quickly become old news, to be replaced by a plethora of new, increasingly productive devices. While buying a new device, for the consumer, carries barely the weight of buying a new pair of shoes, the implications for businesses and IT departments can be far reaching.
With new, increasingly productive devices becoming common place, BYOD is moving beyond laptops and the workplace walls and into everyday life. Already, more than 60 percent of employees access business-related information through mobile devices and that number is growing. Alongside all of these mobile devices, the expanding wearables market also presents new challenges for company security, bringing new functionality into the workplace not previously considered by many IT departments.
Here's what the enterprising IT professional needs to consider to keep pace with the ever-changing world of IT and BYOD.
1. Routine IT hygiene.
First and foremost, review your BYOD policy. If you don't have one, it's imperative to put one in place. It is important to have a well-defined policy that not only helps to educate employees on proper security protocols, but also dictates required enrollments.
Mobile device management (MDM) software, for example, is an important tool to consider including in your BYOD policy. MDM software helps to secure company data when a device is lost, stolen or improperly transferred, but requires compliance and authorization by the device owner. With MDM, IT is granted a number of important capabilities, such as remotely wiping a device of any company-related data. MDM capabilities can range from wiping specific data, resetting a device to factory settings, or even wiping its contents entirely and rendering it useless. MDM permissions should be clearly identified in BYOD policy.
2. Upgrades and hand-me-downs.
Long gone are the days of keeping the same phone or computer for years on end. New devices are constantly entering the workplace, and trusted and registered devices are leaving the hands of employees and ending up elsewhere. When your employee gets a new phone, where does the old one go? Does it end up in their kids' hands? Or possibly in the pocket of a stranger who bought it on Craigslist? And does this person inherit access to company resources along with the device?
Periodically petition employees to register new devices with IT, granting IT access, monitoring privileges, and installation of MDM software, and to report the transition of old devices so that access and data can be removed. Often, security applications and company resources are limited according to MAC address, which is device, not employee, specific.
IT should take steps to not only make employees aware and educate them, but take proactive steps to perform an audit. Unusual patterns of usage may give indications that devices were handed off without proper notice. It's important to decommission older devices that are no longer in use by employees or have been handed over to someone else and make sure your list of employees enrolled BYOD and their devices is up to date.
Furthermore, employees need to be reminded to redownload security applications outside of MDM software such as two-factor authentication apps that may be required by company policy. While standard consumer applications often migrate to new devices without any additional action, corporate security applications often require specific registration steps and can be the difference between safe and vulnerable BYOD usage.
3. Wear your own device.
First, educate yourself on what “wearables” are available and their implications for your network. If you don't have one, create an addendum to your BYOD policy around wearables and educate your employees around safe usage. This policy should address what devices are allowed where and when, how they connect to the company network if they do, and requirements around things such as storage of company data and encryption of said data.
Two primary concerns when addressing wearables are whether or not they have network connectivity and whether or not they have audio or video recording capabilities. For example, your average fitness band may not present much in terms of security vulnerabilities, whereas devices like the Apple Watch or Google Glass could present gaping security holes. An employee with a surreptitious recording device can knowingly or unknowingly provide access to sensitive information. Suddenly, the spy scenario of secretly shoulder surfing for passwords is even more realistic. Not only can video be recorded for later inspection, but it can be immediately transmitted alongside other sensitive data. And if a device is lost, there's no telling where those potentially sensitive images or files will end up.
So, what specific steps should you take to ensure safe use of wearables?
First, devices should also only be granted corporate network or WiFi access via enrollment and any network connection and data stored on the device should be encrypted.
Rather than trying to anticipate all future wearable form factors, have your IT do a firsthand inspection of devices for what capabilities they have and encourage employees to declare any wearables that they bring into their work environment. Employees should be taught they can’t get away with a “concealed carry” mentality.
Furthermore, post written notices that cover when and where wearables can be used inside your company. Specifically call out what can and cannot be recorded by employees with these new devices. It is a good idea to include HR in the discussions about wearables. Recognize that beyond data and information protection, wearables may introduce HR related issues. Imagine the issues created by having your employees wearing Google Glasses or other recording devices into your place of business restrooms.
4. BYOD outside the workplace.
While BYOD is commonly understood to mean employees bringing devices into the physical workplace, the workplace is no longer defined by walls and increasingly productive devices mean that it is no longer defined by specific work hours either. With smartphones, tablets, phablets and always-connected devices like Chromebooks becoming the norm, access to company resources can occur intermittently throughout a day from a variety of locations and Internet access points.
Any company with employees who access company resources from outside the office should have clear policies and practices in place that ensure security. Restricting access by MAC address doesn't prevent registered devices from connecting using insecure networks and thereby exposing sensitive data. In addition to registering devices, you may want to require access to certain things by virtual private network (VPN) only, which offers a secure and encrypted connection over unsecured networks, keeping those coffee shop and airport snoopers out.
5. Your BYOD policy is a living document.
In the end, these new, increasingly productive mobile devices can offer multiple benefits alongside their potential security foibles. We are long past the days of simply banning devices outright and now have to deal with their proliferation. Mobile devices are increasingly utilized by even the non-tech savvy employees to the point of multiple devices per employee and are taking usage away from more traditional devices such as laptops, the originators of BYOD.
The key takeaway, however, is that BYOD will never stop evolving. Your company's BYOD policy is an essential part of any IT security policy to secure network and data access and integrity. Your security policy should be considered a living and evolving document, and any new policies need to be actively communicated to employees. Once one surge of devices is over, the next wave is around the corner. (Apple Watch in early 2015, anyone?) Keeping your BYOD policy up-to-date should not be considered merely a yearly activity, but rather an ongoing task.