Equipping devices with applications like Apple’s iCloud Find My Phone, Lookout, or Air-Watch can assist users or IT managers in locating a lost or stolen device and remotely “wiping” a device of all its data if necessary. While this is an important feature, it comes with risks which need to be properly documented in the BYOD policy and communicated to end users.
Toms recommends that employers “ensure that access to corporate data can be easily discontinued and business policies are adhered to. Most modern email systems allow remote wipe and other security policies to be applied to the phone when emails, contacts, or calendar functions are synchronized with corporate resources.”
As we’ll discuss with procedural solutions, employees need to understand that in the event the device is lost, all of their own personal items on the device (such as music, pictures, documents, and applications) will potentially be wiped from the device. As an extra measure, Mike Dodson, president and CEO of Lotpath, Inc. in Fresno, CA, comments, “Companies should carry sufficient commercial insurance to cover employee devices being stolen, damaged, or lost.”
Installing and using virtual private network (VPN) software or similar encryption solutions when accessing company resources, such as customer relationship management (CRM), enterprise resource planning (ERP), or sales applications, should be a mandatory requirement of every BYOD policy according to the sources we interviewed.
Another concern relates to malware protection. “If you have an employee with a personally-owned Android device, you have another potential entrance point for malware,” Osterman states, adding, “most malware out there is directed at Androids.” Mobile device management solutions, such as Lookout, help protect against viruses or malware being installed on the device.
Procedural Solutions
For employee-owned devices, no technology solution will completely eliminate the risk of company data or networks from being compromised. Thus, a company BYOD policy needs to be established, communicated, and understood so employees are able to benefit from this offering. As Toms explains, “Before giving employees access to business resources, employers should clearly communicate that business policies will be enforced. Even though the devices are owned by the employees, the data belongs to the employer.”
The BYOD policy can begin with a list of suitable devices. The list can be a combination of devices with reasonable built-in security (such as locking tools) and devices the IT team can quickly configure because they are familiar with the device and operating systems. Dodson reports that employees at Lotpath use a variety of devices including Android phones, iPhones, iPads, and Kindle Fire tablets.
The policy can also list specific applications which should be installed on the device (such as a VPN app or mobile device management app) as well as applications that cannot be installed (such as file sharing). Industry or governmental partners may also guide these decisions—if a partner has certain security or trade requirements for viewing, using, or storing data on mobile devices, this should be outlined in the BYOD policy.
