4 1/2 Things to Consider for Enhancing Computer Network Security for BYOD
With BYOD firmly taking hold in many organizations, there’s a growing concern about how to best manage the use of personal devices accessing company data and information. And rightly so, given the computer network security exposure it creates. In a recent ZDNet blog, Ken Hess suggests:
BYOD brings risk because you're allowing user-owned devices within your network. You're allowing users to attach to corporate assets, to access corporate documents and to interact with users inside and outside of your network with those non-corporate owned (controlled) devices… MDM or MAM suites don’t resolve mobile OS-related security problems nor do they completely insulate you from malicious, ignorant or stupid users. If you know anything about computer support, people are never guilty of changing anything, installing anything or deleting anything essential to the operation of any computing device in their care.
So… with this impending doom approaching, what are computer network security professionals left to do? Well, for starters relax. Sure there are issues that need resolving, but what day do you show up at work without issues that need your attention? Here are 4 ½ things you should consider as your company embraces (willingly or not) BYOD:
1. Work with your employees to manage passwords. This should be the easiest part of the security equation and yet it often is the most overlooked. Make sure employees change their passwords regularly; and to something that contains that required alpha, numerical, something beyond the ‘pa$$w0rd’ stuff that so many non-techies (and some techies) fall back on. Take a peek at LastPass as a possible corporate ally. Maybe it’s time that you move away from user-generated passwords entirely?
2. Can’t beat em, join em! People are going to use their personal devices for business and you’re going to face an uphill battle making social media usage against company policy. Why not simply create a policy that embraces social media usage around certain guidelines, including managing the applications that they are running and using. You’ll have to separate work from fun, but with balance there’s success. The more your employees are using social media according to company policy, the better exposure your brand will get – and your employees will embrace social media policy if it encourages and doesn’t ban.
3. Create a company specific BYOD policy. It’s not easy to create a BYOD policy specific to your company needs, but it’s critical. What devices are acceptable and which are not? What data can be accessed by a personal device and what data cannot? Some companies have regulatory controls that need to be considered when it comes to data – HIPAA, PCI DSS as example – so you policy needs to be individualized. Take the time… it will pay off.
4. If you really require more secure BYOD access, think VPN. BYOD devices can support VPN, and while it may be a little more complicated, if your company requires more security I think you’ll find that managing access via VPN will be a lot easier than trying to ban BYOD altogether.
4 ½. BYOD is going to happen, so stop fighting it. BYOD is here to stay. It’s not going away. You will succumb to it regardless of what you do short of setting up metal detectors at the entrances of your organization. While it may be a hassle in the short term, dealing with it now will likely result in productivity benefits to your organization down the road.
The bottom line with BYOD is that you’re going to have to deal with it, so why not do it now and do it right. Read the Infosecurity article – CSOs discuss practical approaches to BYOD – and follow some of our suggestions on computer network security and you’ll be fine.
Have you implemented a BYOD security policy? If so, we’d love to hear from you so drop a comment below.