10 steps for writing a secure BYOD policy

The following is a guest post from Bill Ho, president of Biscom.

By Bill Ho

Bring Your Own Device, or BYOD, is a topic that is not going away – smartphones and tablets are being adopted at such a high rate that companies are almost compelled to support them. When a CEO, managing partner, or principal of a firm wants to use his or her device, IT sometimes has no choice but to support it and find ways to secure it.

BYOD is a net positive for organizations as it promotes more responsiveness, more accessibility for workers, and higher worker satisfaction with being able to work on their schedule. However, IT staff responsible for corporate security now have a new and complex challenge to solve – supporting employees who bring their own devices into the corporate fold while maintaining the security and confidentiality of sensitive company data. CIOs know that it’s not just a technical issue but that BYOD may also require corporate policy changes and additional education for end users.

Corporate security policies vary by industry vertical as well as within specific verticals. The nature of electronic data that a company may gather, process, and disseminate can vary greatly. The increasing scrutiny required today, the demand for more privacy, and regulatory requirements, are forcing companies to create more stringent policies.

At odds with this is the increased porosity due to a more connected and networked environment. Synchronization applications, remote access, VPNs, and cor-porate portals create a sieve that IT must plug to ensure only au-thorized users have access to internal information or risk violating some information security policy. Personal apps also pose risks – rogue applications installed by the user potentially have access to sensitive corporate data because the device is now tied into the company’s network.

The main security challenge lies in the dual-use nature of mobile devices – a stolen or lost corporate laptop, on the one hand, will probably already have security measures built in such as whole disk encryption and authentication requirements. But smartphones and tablets, especially personal devices, eschew these added layers of protection in favor of ease of use, simplicity, and quick access.

One of the biggest new dangers of BYOD is the latest crop of Dropbox-style synchronization applications. By poking a hole in the corporate security fabric to synchronize files to a mobile device, the user is potentially creating a new channel through which confiden-tial corporate information could leak. Many companies have decid-ed to shut off access to these synchronization tools until there’s a way to manage them as enterprise applications with centralized control, granular permissioning, and integration with directory au-thentication services.

So how do you prepare your organization to handle these additional security risks? What steps can you take to extend your current network security to cover these mobile security holes?

Mobile devices are simply the latest vector to threaten corporate security, but there are remedies to these threats that will satisfy both the IT group and end users. The following is a 10-point list to help you think about the framework for a BYOD policy that can help you meet your security requirements. There’s no single solution that will solve all issues but rather a combination of policies, education, best practices, and third party solutions that can help protect your organization:

1. Review your current security policies for web applications (CRM, email, portals), VPN, and remote access. Most of these will apply to mobile devices as well.
2. Determine which devices you are willing to support. – Not all devices will meet the security requirements of your organization. Also, physically inspect each device and make sure it hasn’t been jailbroken or rooted.
3. Set expectations clearly. IT may have to radically change people’s current mindset. Yes, security adds additional layers to wade through, but what havoc would a security breach cause?
4. Write clear and concise policies for all employees who want to use their personal device. Have anyone participating in BYOD sign your terms of use. Those who choose not to follow your policies should not expect to use their devices.
5. Make a personal identification number (PIN) mandatory.
6. Enforce encryption of data at rest – any apps that download and store data on the device should protect that data. If a PIN or passcode is cracked, you want to make sure that data is still protected.
7. Determine which types of apps are off-limits. With hundreds of thousands of apps available, which will you permit? Are there any specific applications or class of applications you want to keep off the device?
8. Provide training to employees to make sure they understand how to correctly use their applications, make the most of their mobile capabilities, and watch for suspicious activity. Once you’ve embraced BYOD, promote it.
9. As mobile devices become conduits for information to flow, look for apps that include auditability, reporting, and centralized management. Many current apps will not meet this requirement.
10. Consider mobile device management software that can provide secure client applications like email and web browsers, over the air device application distribution, configuration, monitoring, and remote wipe capability. Note that some providers require applications to be re-written specifically to support their platform, so you may find some of your applications will not run in the solution you pick.

As technology evolves, so will BYOD policies and practices. Just when you think you’ve covered all your bases, a new “must have” app demanded by your user population will break it – and you’ll have to find ways to accom-modate the app. But by defining your overall goals and setting up guidelines and policies early you can lay the foundation as well as provide the flexibility you need to meet your security requirements to keep up with changing trends.