Jeff Ziplow, MBA, CISA, CGEIT
As the practice of “Bring Your Own Device” (BYOD) to work becomes as much of a business norm as a morning coffee, the question becomes how will companies remain secure as businesses — especially those that fall under compliancy rules (such as PCI and HIPAA) — which are still required to comply with regulations when allowing the BYOD model.
BYOD is a concept where employees use their own personal devices (cell phone, netbook, iPad, etc.) to access their employers’ corporate and private network information. This may include responding to clients’ or managers’ emails, accessing corporate shared networks or even completing financial reports. Some companies that allow employees to use their own mobile devices have a BYOD policy; many others don’t. However, defining and enforcing an acceptable use policy can be tricky regarding devices that are not owned, but managed, by employers.
With the endless security concerns surrounding BYOD, there are a few key areas businesses should consider when developing their own policies and procedures:
Secure the mobile device – The company should strongly consider investing in a mobile software solution that allows all company information (emails, attachments, etc.) to be partitioned from the user’s own personal information. In case of a mobile device being lost, all company related information can be wiped without impacting personal information.
Develop varying levels of service and support options – Not everyone should qualify for premium service and support from the IT Department. Consider creating multiple levels of service and support options based on the type of user and access to critical/confidential information.
Isolate personal data from corporate data on the mobile device – Protect the company’s information assets by segregating this information on the mobile device. The feature to separate the company’s information from personal information on the mobile device is typically available on the mobile software solution.
Enforce strong security policies – All corporate information should be encrypted to prevent data security breaches on a mobile device. This includes emails, attachments and general documents like client documents and business materials.
- Enhance acceptable use policies – Force all mobile device users that access corporate resources to sign a formal, documented policy governing the usage,security and responsibilities of using a mobile device in the workplace.
To meet these BYOD challenges head on, companies have to consider a wide range of issues when writing their policies. By keeping an open mind and staying current with technology trends, employers are, in turn, preparing the end users, the IT department and management team for what’s ahead and laying the foundation for a secure mobile transition.