Many businesses have started making the switch from company-provided equipment to Bring-Your-Own-Device (BYOD). As an employer, this has many advantages. For one, you don’t have to buy your employees a device for work. Second, employees gets to use whatever personal devices they feel comfortable using.
You should be aware of some cyber security concerns before allowing personal devices to be used at your organization. First, personal devices don’t have the same level of protection as your corporate PCs and mobile devices. You also have no control over how these devices are used outside of corporate hours.
Another potential challenge is employees bringing personal devices to work solely for personal use. Think of all your staff who bring in cell phones and want to connect to corporate wi-fi. However, most companies address this challenge by creating a guest network for BYOD. This avoids corporate networks and goes directly to the Internet. It only allows employee personal devices to connect to the guest network. Therefore, this approach significantly reduces the risk associated with letting your employees use their own devices at work.
How do you address this issue?
Good question! You should have a BYOD policy stating employees’ rights and responsibilities regarding company data on personal devices. Furthermore, your policy may need to address the employee’s responsibilities in using their personal device to access company information. You should also mention IT support. This includes what will be provided for the employee when they use their own device, like system updates and backups. However, there is a lot to consider when crafting a BYOD policy. At a minimum, your policy should spell out the following:
- Acceptable use: what applications are employees allowed to use on their personal device?
- Minimum required security controls for devices
- Company-provided components, such as SSL (Secure Sockets Layer) certificates for device authentication
- Company rights for altering the device, such as remote wiping of lost or stolen devices
- Require multi-factor authentication to access all company data on personal devices