BYOD, also known as Bring Your Own Device, is a common practice of allowing employee-owned devices to connect to business networks. Smartphones are the most common example, but employees also bring their own laptops, tablets, and USB drives as well. The important security implication here is that your business has no knowledge of the security, or insecurity, of those devices. Companies need to be very cautious about where they allow these devices to connect into their network.
The BYOD situation is exasperated by employees working from home (due to COVID-19), flexible work schedules, and the employees on the go (traveling). For all these reasons, and others, BYOD has become much more common today than even 5 or 10 years ago. Your company needs to prepare its position on whether to allow BYOD to manage and access corporate data and networks. This is sometimes driven by the sheer cost of providing all remote employees a laptop (not always tenable), combined with the type of data your company processes (low vs. high risk data). No one answer is right for every company. below you will find some common recommendations from CyberHoot.
What does this mean for an SMB?
IT departments must address if and how they will secure personal devices and determine access levels. Most importantly, a defined BYOD security policy should inform and educate employees on how to employ BYOD without compromising organizational data or networks. Important components of BYOD policies include:
- Approved devices allowed to connect (company issued devices being primary)
- Minimum requirements for security software (anti-virus, anti-malware, fully patched systems)
- Security and data ownership and download policies (can employees download company data to these devices?)
- Levels of IT support provided to personal devices (if any)
In a perfect world, SMBs would only grant Internet access to BYOD that are brought to work by employees. Place these devices on a Guest network to allow for personal use such as scheduling doctor’s appointments, taking emergency family calls etc.
Unfortunately, we live in a world that’s far from perfect. With COVID many businesses were forced to allow BYOD to connect and manage company data. In these cases, communicate clearly your expectations to each employee. Have them sign off on a purpose-built Mobile Device Management policy with prescriptions and prohibitions as outlined above.
Strong BYOD security integrates with your overall IT security and use policies. It is advisable to prevent BYOD from connecting to your trusted or privileged network, but CyberHoot recognizes that is not always possible.