You probably know that some (if not all) of your employees are using their own mobile devices at work. Sometimes it’s work-related (think quick fact-checking on their smartphone during a meeting) and sometimes it’s personal (think quick Facebook check during the same meeting). CIO calls Bring Your Own Device the “new normal,” and whether you approve or not, it’s happening. Do you have a policy in place that addresses this new reality? You should, because you need to make sure your employees don’t inadvertently leak sensitive information.
Keep in mind that employees love their devices, and they may feel a bit defensive when you inform them they pose a security risk. Follow the suggestions below to avoid misunderstandings when you create or review your BYOD policy.
Don’t Let Corporate and Personal Data Mix
It’s too easy for corporate and personal data to get mixed up in a BYOD world. Don’t rely on employees to devise their own systems to prevent this. Instead, give them a tool that does it for them. You can provide access to corporate data via a VPN that lets employees access and work with corporate data in the cloud only, with a firewall in place that prohibits them from copying data to another device.
Another solution enables employees to create separate workspaces for their personal and corporate information through a cloud-based system. BlackBerry offers a mobile device management platform that gives management control over all employee devices, including the ability to lock and wipe them should they get lost or stolen.
Provide Training on Security Rules
Tell employees they are part of the solution to data security. Provide training that explains the risks to the business and to themselves. Explain what they can and can’t do when accessing the business network, and make sure they understand that remote wiping only targets corporate data. Give them a set of standards to guide their activities. Ask them to sign a statement that holds them accountable for their activities with mobile devices, and make their agreement part of the training process. The Cisco blog features further guidance on getting employee buy-in to these security measures.
Be Flexible and Expect a Few Snags
Any new corporate-wide policy is bound to have a few glitches at first. Don’t go overboard when your BYOD policy misses a spot, and make sure everybody knows to expect some wrinkles in the early days.
Similarly, be prepared for new issues to pop up. Case in point: Healthcare facilities, known for their strict privacy rules, are now dealing with staff wearing Google Glass in operating rooms. No one could foresee this when BYOD policies were first crafted. Keep a flexible approach to effectively deal with new issues as they arise.
Offer Alternatives to Policy Objectors
No matter how hard you try, someone will object to a BYOD policy. These objections usually relate to two essential elements: a wipe policy and a device location app. Rather than allow employees to sidestep BYOD rules, offer them a standard device that you control through your enterprise management system. Make it clear that this device will be fully subject to the BYOD rules, that it only to be used for business purposes, and that the offer will protect the employee from any exposure of his or her personal information.