Creating a BYOD policy
Employees use their smartphones for texting, emailing, reviewing documents, browsing the web, sharing photos online, and many other activities. So the first issue that an IT department faces when crafting a BYOD policy is determining the extent to which employees are allowed to access and download internet resources. The key questions that an IT department might address in a BYOD policy include:
- What device types will be supported? Smartphones, tablets, laptops, and wearables? Only certain devices? Or whatever the employee wants?
- How will employees connect to the network? Will virtual private networks (VPNs) and virtual desktops be required?
- Which compliance issues need to be addressed in the policy?
- What applications and websites will be blacklisted? Whitelisting only approved sites is possible, but more difficult to manage as it greatly restricts employee freedom with their own devices.
- Which work resources can the device access? Email is typically allowed, but not access to sensitive materials such as legal proceedings or personnel records.
- Will access to public Wi-Fi networks be forbidden? Unless the device is equipped with a VPN, connecting over a public network is risky.
- What steps should employees take when their device is lost or stolen?
Each department will have different concerns about device security, so a best practice for BYOD policy creation is to invite representatives from several departments to participate. IT, human resources, security, and legal departments each have different concerns and needs related to device security. Gaining their input helps ensure a more successful policy.
Another important element in creating a BYOD policy is security awareness training. Data and device security can be reinforced with in-person and computer-based training on the:
- Risks to mobile devices.
- Methods that cybercriminals use to compromise employee accounts.
- Potential impacts to the organization.
- Specific measures employees are expected to take to safeguard their devices and work applications.
BYOD endpoint security solutions
Below are some BYOD security solutions to consider:
- Encryption. Encrypting mobile data protects it from prying eyes. Many devices have native encryption that, when enabled, can keep the device encrypted to all but the authorized user. Available software products can encrypt some or all data on a device. Email is a common device app that benefits from encryption. Emails often travel across the internet and encryption reduces the chance of misuse. Texts and calls can also be encrypted.
- Mobile device management (MDM). MDM software provides basic device security. MDM can enforce security policies, update applications, track device location, encrypt files, and remotely wipe the device if it's lost or stolen. It can also create an isolated environment for work applications by dividing the device's resources between work and personal use. Alternatively, it can create a container on the device to house work applications and data. Containerization provides a safe sandbox, with separate password and security policies, for work activities.
- Mobile threat defense (MTD). MTD is a rapidly growing category of mobile security software that offers a more proactive approach to security than MDM. According to the Gartner Market Guide for Mobile Threat Defense Solutions, 30% of organizations will have MTD by 2020, up from the less than 10% in 2017. MTD and MDM together provide complementary protection for mobile devices.
- MTD continuously monitors the device to detect and stop suspicious network or device activities. MTD software can detect malware, changes in settings, and insecure secure sockets layer (SSL) connections. MTD products, such as McAfee MVISION Mobile, may incorporate machine learning to enable them to learn normal patterns of activity and identify malicious activity. Machine learning is helpful in detecting new, or zero-day, attacks. MTD applications may also provide compliance controls to help guarantee that employees and their mobile devices remain in compliance. Another useful feature is the ability to detect phishing attempts in text messages and links, social media applications, and email messages.
- Identity and access management (IAM). While not a mobile security application, IAM is an important addition to BYOD security. Using IAM software, an IT department can assign specific access rights to users based on their jobs. This role-based access gives employees the right access for their jobs, while ensuring that data and applications are not unnecessarily exposed.
BYOD security requires both a thoughtful BYOD security policy and advanced BYOD security solutions. Endpoint security technologies such as encryption, mobile threat defense, mobile device management, and identity and access management can provide the elements needed to ensure an organization's security while providing employees the convenience of using personal devices.
McAfee MVISION Mobile uses machine learning algorithms to analyze device behavior and detect malicious activity. MVISION Mobile sits directly on mobile devices to provide always-on protection no matter how a device is connected—via a corporate network, public access point, or cellular carrier—and even offline.