7 Questions to Ask When Creating a BYOD Security Policy
Bring Your Own Device (BYOD) offers significant potential for increased competitive advantage. A study by Cisco found that 69% of IT decision makers prefer it, since workers spent an average of 80 minutes per week working on their own devices. According to a report by Forbes, Intel saw an annual productivity gain of 1.6 million hours, and VMware saw efficiency rise to $2 million per year.
However, before embracing BYOD, IT teams need to review their security protocols. All the connected devices represent potential access points to your organization and the data you store.
Start with a specific BYOD security policy. Consider the types of data your organization stores and the types employees can access. If you’re dealing with personalized information such as banking or healthcare data, then you need to strictly control which devices can access this data and how. Beyond this ultra-sensitive data, be smart about who has access and how this data is used. You may also want to create a BYOD ceiling to limit the number and types of devices that employees can connect.
Ask yourself these seven questions:
- Who has access to the organization’s network? You need to understand thoroughly what your digital footprint looks like – what channels are exposed and what partners, employees, and other stakeholders are accessing on these devices as part of their scope of work.
- What process is currently in place to check the security on BYOD devices? Depending on the size of your organization, it may not be feasible to check each device in play, but you need a protocol in place to provide employees with the right tools to ensure their devices are secure. It could be as simple as stronger passwords or encryption; a lot depends on the data you’re storing and the risks of its exposure.
- Do you have a recently conducted a comprehensive scan of all ports, vectors, and protocols? Scan all network ports and identify the IT counterpart of open windows and unlocked doors. The most common malicious network scans search for vulnerabilities in a standard range of 300 ports on a network where the most common vulnerabilities are found. (However, you may have over 60,000 ports on your network that can be suspect.)
- What does the network require for outside access? A simple test here could be as simple as trying to access the network from the outside and see what is needed to gain entry.
- How are employees accessing the internal network? Do not assume that all data breaches come from outside the network; in fact, many come from inside. Check what information employees are accessing. Should there be restrictions based on seniority or by job function?
- What other network entry points are there, and are they secure? Wireless networks such as Wi-Fi, Bluetooth, RFID and other rogue devices can be easy access points to your secure company data.
- When was the last time employees were updated on the corporate security policies? You may want to consider a hands-on employee education process as part of your policy distribution.
Embracing BYOD can produce substantial productivity gains, but they also pose security challenges. The answers to these questions can help create a smart BYOD security policy that will deliver the positive aspects of BYOD without the security headaches.