Skip to main content

Resources

Is Your BYOD Policy Designed to Fail?

Is Your BYOD Policy Designed to Fail?

Balancing the Scale

Managing information security for a mobile workforce takes a strategic effort prior to allowing employees access to company information via personally owned devices. Implementing an effective bring your own device (BYOD) policy requires balancing competing fears of the employer who may be concerned about security and the threat of exposing the company’s information to vulnerabilities and the privacy concerns of the employee. Further concerns may arise due to legal (electronic discovery requests) and labor issues protecting non-exempt employees in some states. It is highly recommended that any BYOD policy should be fully vetted with legal counsel prior to implementation.

 

Success Keys

The following are three critical components you should consider when developing a BYOD policy:

  1. Address the concerns of the employer as well as the employee by focusing on the responsibilities of each in a clearly written document that formally outlines data ownership, including what company-owned information is considered as unrestricted, sensitive, or mission-critical data.
  2. Require all users to sign an acknowledgment that they have read the policy completely and thoroughly understand the implications. Users lose devices, open malicious links, and leave their jobs. Such acknowledgments should clearly communicate that the company may remotely wipe the device if it is stolen or lost, poses a threat to the security of the company’s data or infrastructure, and/or upon termination.
  3. Install software controls to manage all devices authorized to connect to the company network. Utilizing mobile device management (MDM) software provides a way to segregate work-related apps and data completely from employee-owned information.

 

Setting the Goal

A basic goal of any BYOD policy is to set standards, and that begins with a list of approved manufacturers, model numbers, and operating systems that are eligible for access to the company’s network. In addition, the following acceptable business uses should be considered during BYOD policy development:

  • Provide a list of websites or types of websites and applications prohibited during business hours or while connected to the company’s network.
  • Restrict camera and video capabilities while on company property.
  • Prohibit employees from storing or transmitting proprietary data or illicit material from their device at any time.
  • Prohibit employees from engaging in business activities other than their employer's or harassing anyone at the company from their device at any time.
  • Whether or not to allow employees to access company resources such as calendars, emails, documents, and internal networks.
  • Enforce a policy of zero tolerance for emailing or texting while driving and that only hands-free talking is permitted while driving.

 

Don’t Rely on Passwords Alone

While it is critical that mobile devices be protected with strong passwords, additional security features should be considered. Requiring users to verify their identities when accessing company apps and data utilizing secondary authentication methods, such as multifactor authentication, biometric (fingerprint or face) authentication, or other criteria such as device, network, and geolocation, are effective safeguards to further mitigate risk. For additional security, management should consider requiring mobile users to implement the following features:

  • An idle time-out, which locks the device and requires a pin or password to unlock the device after a set period of inactivity.
  • Lock the device after a predetermined number of failed login attempts (which will require the IT Department to support those who forget their password).
  • Deny access to company assets for users with jailbroken (iOS) or rooted (Android) devices.
  • Limit company access to only approved devices capable of being supported by the IT Department.
  • Limit user access to predefined user profiles.

 

Seek Support

Information Security Officers should not undertake the challenges of BYOD development in an IT silo. The policy development should not only be vetted through Legal but also solicit the input of Human Resources, Accounting, and any other department with potential users. Every potential user (or department representative) should have an opportunity to provide feedback. Managed strategically, a BYOD policy offers the opportunity to reduce costs and increase productivity without compromising security standards.

 

Questions to Consider

Make sure to ask yourself these questions – and find out the answer – before moving forward with developing a BYOD policy:

  • Will the company restrict employees to certain applications or web browsers on mobile devices?
  • Will the company’s IT Department support users, and to what extent?
  • Which security solutions will the company utilize to securely manage various devices with diverse operating systems connecting to the company’s network?
  • Will the company subsidize device cost or data plan cost (i.e. monthly reimbursements for personal smartphone usage at work)?
  • Will the company monitor activity and location usage? If so, disclosure of such monitoring’s purpose and when such monitoring is enabled should be clearly stated.

 

 


Written by: Shane Daniel
Senior Information Security Consultant - SBS CyberSecurity, LLC


 

SBS Resources:

  • {Certification} Certified Banking Security Technology Professional: This course will allow you to explore the technical design and implementation of Information Security Program controls. Topics covered include 
    • Mobile Device Management
    • Incident Response Procedures
    • System Hardening
    • Penetration and Vulnerability Testing
    • Patch Management
    • Social Engineering Testing
    • Perimeter, Network, and Endpoint Security
    • Data Backup and Replication

 

Additional Resources:

 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Technology Professional      Certified Banking Security Executive


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Monday, October 7, 2019
Categories: Blog