4 Ways Employers Can Improve Data Security and Reduce Risk in a BYOD World
Published by Eric A. Welter on July 31, 2015
Personal electronic devices are a fixture of daily life in the modern era. In the United States, nearly every adult, on average, owns at least one personal electronic device (laptop computer, smartphone and tablets etc.), and increasingly, those who own them also brings them to work. In the last several years, many employers have instituted […]
Personal electronic devices are a fixture of daily life in the modern era. In the United States, nearly every adult, on average, owns at least one personal electronic device (laptop computer, smartphone and tablets etc.), and increasingly, those who own them also brings them to work.
In the last several years, many employers have instituted “bring your own device” (BYOD) programs in the workplace, permitting employees to use their personal electronic devices to access proprietary networks and data. While such policies can save substantial money by avoiding the cost of buying each employee their own work device, such policies also expose the company to significant risks.
Permitting employees to use their personal devices to access corporate networks, download company files, and upload completed projects to their employers’ servers increases the possibility of file corruption, virus infection of corporate systems, and the misappropriation of proprietary information.
The following are four policy changes employers can make to reduce the risks associated with BYOD policies.
1. Institute a BYOD employment agreement.
Employers should require their employees to sign a BYOD agreement and establish a personal device use policy outlining the permitted uses of their personal devices for work purposes, and imposing data restrictions on the employee.
The agreement and policy should discuss what type of employer data the employee is permitted to download and/or view on the device, as well as a protocol for uploading material to corporate systems. The agreement should also discuss the penalties for violating the provisions of the agreement, potentially including the prohibition of future device use while at work and restricted access to company network resources.
Further, employees should be advised to back up their personal data from the device to another location. Lastly, the agreement should state that the employee is providing the employer and its IT department with access to the device, as well as permitting certain controls over stored data, apps and the use of appropriate security measures. More on this below.
2. Implement app ‘kill switches’, antivirus software and IT access.
As part of the agreement described above, employers should require that employees permit the employer’s IT department or third-party IT provider to have access to the device upon request, and agree to certain controls over use and content.
One possible control is an app ‘kill switch’, which would permit the employer to deactivate and delete an app that is in violation of the BYOD agreement or is otherwise prohibited by the device use policy.
New apps are developed daily, and untested apps or apps developed by a less-than-reputable source can contain malware and viruses that can be transferred from the employee’s phone, tablet or computer to the employer’s network.
Employers should also require the employees to install antivirus software on their device(s) as a precaution to prevent local infection and the spread of any malicious software to other employees’ or corporate systems.
Finally, employers are strongly encouraged to condition BYOD use on the employee’s agreement to surrender the device to the IT department for inspection and potential formatting or other technical adjustments if necessary. Without these protections, employees may not be able to successfully remove all of the malicious material upon discovery and could then impact or re-infect the corporate system.
3. Establish a data breach response protocol.
Effective crisis management requires a pre-established plan to address a given emergency. Employers should work with their IT staff to develop a data breach response protocol that can be implemented should the above-referenced efforts prove ineffective.
Employers should be ready to activate the plan upon learning of a data breach. The protocol may include efforts such as restricting personal device access to corporate systems until the situation is resolved, inspecting data transfer and email traffic to determine the source of the breach, and preparing a press release or corporate statement addressing the breach and the company’s response in order to stay ahead of the crisis. Consult with an IT security professional to determine the best protocol for your enterprise.
4. Provide employee education and training.
While this may appear to be the most obvious step, employee education regarding data risks and training on the appropriate use of personal devices and the response to a suspected breach can be the most effective method of limiting potential harm.
Employers can incorporate a mandatory training into their new employee orientation procedures and distribute updates and refreshers on an annual or as-needed basis.
Requiring employees to certify that they have completed the required data security training as part of their BYOD agreement can also encourage compliance with the education process and reduce the possibility of negligent activity resulting in harm.
Be prepared for personal device use to increase as new technologies develop. Employers should take a proactive approach to employee device use and data security in the emerging BYOD environment.
Since legal precedent on personal device use in employment situations is still very much in development, employers are advised to stay up-to-date on new security protocols rather than to count on reactive legal remedies.Topics: Bring Your Own Device, BYOD, Data Security, Employee Policies & Procedures, Government Contractors, IT Security, Technology, Workplace Technology