Asking people to use their own devices certainly offers several advantages. It can lower company costs and improve efficiency and effectiveness. Mark Coates, a VP at Good Technology notes that “By enabling employees to securely and easily access corporate data on their own device, productivity levels will naturally increase. In terms of cost savings, there are huge benefits, since SMBs will not have to manage and fund a second device for employees”.
Tony Bradley of PC World states that “when companies embrace BYOD policies, they have advantages over competitors. Some of these advantages being lower costs to the company since employees already own these devices and employee satisfaction and familiarity with the devices. Obviously, they’d rather use the devices they love rather than being stuck with laptops and mobile devices that are selected and issued by the IT department”.
On the other hand, the obvious cons are trying to control private and sensitive information. Data breaches can and have occurred. Software and hardware are replaceable, but company data is not. In a BYOD workplace, organizations lose much of the control over the equipment and how it’s used. After all, how do you tell an employee what they can and can’t do with their own laptop or smartphone? Company-issued devices, on the other hand, are protected by company-issued security that is controlled by the IT department.
Advice is being offered to companies considering a BYOD policy via government guidelines. The US Department of Commerce’s NIST, National Institute of Standards and Technology, has the following to say.
Teleworkers who use a BYOD desktop or laptop (PC) for telework should secure their operating system and primary applications.
Securing a BYOD PC includes the following actions:
- Using a combination of security software, such as antivirus software, personal firewalls, spam and web-content filtering, and popup blocking, to stop most attacks, particularly malware.
- Restricting who can use the PC by having a separate standard user account for each person, assigning a password to each user account, using the standard user accounts for daily use, and protecting user sessions from unauthorized physical access.
- Ensuring that updates are regularly applied to the operating system and primary applications, such as web browsers, email clients, instant-messaging clients, and security software.
- Disabling unneeded networking features on the PC and configuring wireless networking securely.
- Configuring primary applications to filter content and stop other activity that is likely to be malicious.
- Installing and using only known and trusted software.
- Configuring remote access software based on the organization’s requirements and recommendations.
- Maintaining the PC’s security on an ongoing basis, such as changing passwords regularly and checking the status of security software periodically.
Teleworkers who use a BYOD mobile device for telework should secure it based on the security recommendations from the device’s manufacturer.
- Limit access to the device, such as setting a unique personal identification number (PIN) or password not used elsewhere, and automatically lock a device after an idle period.
- Disable networking capabilities, such as Bluetooth and Near Field Communication (NFC), except when they are needed.
- Ensure that security updates, if available, are acquired and installed at least weekly, preferably daily.
- Configure applications to support security (e.g., blocking activity that is likely to be malicious).
- Download and run apps only from authorized apps stores.
- Do not jailbreak or root the device.
- Do not connect the device to an unknown charging station.
- Use an isolated, protected, and encrypted environment that is supported and managed by the organization to access data and services.
They go on to say, “Sensitive information, such as personally identifiable information (PII) (e.g., personnel records, medical records, financial records), that is stored on or sent to or from telework devices needs to be protected so that malicious parties cannot access or alter it. An unauthorized release of sensitive information could damage the public’s trust in an organization, jeopardize the organization’s mission, or harm individuals if their personal information has been released”.
As you can see, a lot of thought needs to go into deciding whether this practice is right for your workplace. If you’re still not sure, check out the link below for a detailed graphic checklist.