Mobile Devices: BYOD Deserves Special Consideration

by Jeremy Miller,Technician
A good majority of people now bring a device of their own to work and many even use their own device at work. There are many reasons that this could be good or bad or down right terrible.

There are always inherent risks when employers allow employees to use a personal device at work especially if the device attaches to the network or has confidential data stored on the device.

Allowing employees to bring their own device can be very beneficial to your organization.

If you choose to allow devices you must understand the risk and create rules that keep the device from being used maliciously.

It is best practice to create an Acceptable Use Policy for Devices. This will cover a variety of things including:
• Proper use during and after-hours.
• What types of apps are allowed to be installed?
• Which type of data will the device be allowed to use.
• How to prevent abuse.

A good AUP will allow a business to allow users to bring in their own devices and use them to increase their productivity without letting the employees abuse the privilege of being allowed to use a personal device at work.

Allowing employees to bring their own device can: increase productivity at a low-cost to the business, make employees happier, and allow users to be reached at any time.

Allowing employees to bring in their own device can be bad as well. The first reason is employees’ abuse devices all the time.

In every workplace there are employees that will use their devices in a matter that is not related to work such as checking Facebook or texting when it is not necessary.

Then there are employees that will want to use their device at work and at home, but will not want to follow the Companies Acceptable Use Policy.

This is not only disobedience but risky, because many of the stipulations in the AUP are to protect the Company’s business flow. Allowing employees to bring in a device that connects to email will sometimes require an IT person to help get the email to sync with the device.

If you do not have onsite IT this can cost you money every time there is an issue with the email not syncing. The ugly part of allowing users to bring their own device is the lack of control and security.

With the lack of standardization each device is at least a little different. On top of that each app installed is a potential risk, especially the free apps that include advertising.

Risks emerge every day, this means that in order to be sure that the device is secure you will have to continuously assess the risk for each device in use.

There is always a risk that your employees could fall victim to social engineering.This is when they either knowingly or unknowingly give away confidential information to a party that is not allowed this information.

This can be mitigated by educating users on a continuous basis, a good way to do this is a lunch and learn style of meeting. All employees with a personal device being used for work should be restricted to which applications they are allowed to download.

This is because each app has its own code and permissions that are required to run it. If the permissions for the application can compromise any data at any point it should be reviewed and then allowed or disallowed.

In conclusion many companies already allow the use of a personal device for work. Trying to implement a plan after allowing the devices is much trickier because you are further limiting a user on their own device.

A plan is absolutely necessary to protect you from legal implications, and to be up front and informative of the consequences for breaking any rules outlined in the Acceptable Use Policy for Devices.

Letting your employees know what is expected will reduce the legal and liability risk that a company may face.