Most companies I work with have adopted a Bring Your Own Device (BYOD) policy for mobile devices. The story goes:
- All our employees already have their own smartphones,
- We don’t want to pay for another device, and
- We don’t want to make our employees carry another device
So we’ll just ask them to use their personal device for work. In some cases, the company will reimburse the employee for part of their phone/data bill. In other cases, they won’t (lame). Regardless, though, the general expectation is that employees will be checking their email and calendar using their personal device. Less frequently, employees are expected to also view or even edit documents from mobile (using Google Docs, MS Office, Dropbox, or similar).
Now, the company needs some way to protect its corporate data. What if a personal device gets lost or stolen? What if an employee’s roommate picks up the phone? What if the phone gets a virus? Let’s say we were talking about a company-owned laptop here… The solution is simple. Harden the computer, install company-managed antivirus and firewall, lock down operating system, manage backups, and so on. But since we’re talking about a personal device here, we can’t just do it. You have to find a balance between letting the employee do what they want with their own device, and safeguarding your corporate data.
I’ve outlined four different “levels” of BYOD (the last one isn’t really BYOD). These were made with Exchange (or Exchange Online) in mind.
Basic: allow any personal devices, but require the following minimal security controls: 4-digit passcode, encryption, and full wipe after 10 unsuccessful unlock attempts. Additionally, staff must be aware that the IT team can remotely wipe the entire device, and may do so under certain circumstances. Most companies I work with adopt this policy due to its minimal effect on usability.
Intermediate: allow any personal devices (with similar security controls as above), but only allow use of the Outlook app (as opposed to the “native” mail, calendar, and contacts applications). This somewhat “locks down” access to corporate data to a single application, and allows the user to simply delete the app if all corporate data needs to be removed. The user also does not have to give remote wipe access to the IT team. However, it does require the user to use separate applications, not allowing for the “unified” view of personal and corporate contacts (for example).
Higher: explore third party Mobile Device Management (MDM) solutions to further lock down data exfiltration (for example – prevent copy and paste from email). MDM solutions add another layer of administration, but allow more control over the device. Some examples of recommended controls that require MDM include: not allowing jailbroken devices, controlling location services, controlling personal hotspot. This type of solution is usually not adopted by companies with BYOD since it requires the user to relinquish even more control over his or her device to the IT team. I’ve seen this implemented in companies operating in industries where security is of high concern (e.g., finance sector, defense).
Highest level: combine MDM + no BYOD policy. This option requires the company to provide a device to any user who requires a mobile device to perform their job, in the same manner laptops are issued. This solution is rarely taken into account in the companies I work with (which are typically in the 30-300 staff range) due to the increased administration and costs involved, and big usability “hit” end users experience (having to carry two smartphones).
As with everything security related, you have to find the right balance for your organization between usability and security. Think about the risk involved and take it from there. If you don’t have critical data in your mail server, you might be able to get away with a lower-security approach. If all your secrets are in email, or if a breach would cause a PR disaster, consider upping your game.
Photo by Pixabay