Your BYOD security policy should include specific measures to mitigate business data risks. Start with basic steps:
- Encrypt business data stored on personal devices with strong encryption. Full device encryption
- is best, but if that isn't feasible, all business data should be stored in encrypted folders on the device.
- Routinely update hardware and apps to the latest versions to mitigate the risk of someone exploiting a known vulnerability.
- Make sure that devices are registered before they connect to the company network. This allows network administrators to detect unauthorized devices on the network.
- Authenticate devices using Secure Sockets Layer certificates before they are allowed to access network resources.
Consider whether your business needs additional controls from its BYOD security policy. IT might need the ability to remotely wipe a personal device if it's lost or stolen, for example. If that's the case, the employee should authorize this measure during the device registration process. Some mobile device management (MDM) systems provide sandboxes for corporate data that can be remotely wiped without erasing the device's personal contents.
If you don't want employees to inadvertently agree to share corporate data downloaded to their endpoint devices, consider an MDM system that supports app blacklisting.
More on BYOD security policy
BYOD security policy, not MDM, at heart of smartphone security
Mobile device security policy essential to BYOD security
Alleviating BYOD security issues using private cloud
The levels of access granted to users should be based on their roles and responsibilities in the organization. IT can partly enforce access control policies with information from a centralized directory, such as Active Directory. Many organizations already use such directories for access control, and some MDM applications can use them as well.
Keep in mind government regulations, licensing requirements and industry standards that apply to your business. Health care providers, for example, must comply with the Health Insurance Portability and Accountability Act, which requires measures to protect patient data. Encrypting sensitive data at rest and data in motion is essential.
Financial services industries must protect confidential customer information under the Gramm-Leach-Bliley Act, but they and other public companies are also required to protect the integrity of financial reporting data under the Sarbanes-Oxley Act. Be sure to consider access controls -- using both device-based methods and network services -- to comply with data protection requirements. Technical controls are only part of BYOD security best practices. Enterprises should train employees in security awareness.
For average users, security training doesn't have to be an in-depth technical endeavor. The goal is to educate them about the ways attackers use technical and social engineering techniques to undermine security measures.
In addition, security awareness training should include best practices for working with sensitive information on personal devices. This training can include advising employees to take these measures:
- Report lost or stolen devices that have been used to access the business network.
- Minimize the use of personal email accounts to transmit business information.
- Keep device operating systems up to date.
- Consider the access rights given to applications. This is especially relevant for free apps. Ask how the app developers fund the development of their products. You might be agreeing to share substantial amounts of personal and possibly corporate data.
In addition to protecting personal devices and any sensitive data stored on them, a BYOD security policy should also address data in motion.
About the Author
Dan Sullivan has a master's degree in computer science, and is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence.
This was first published in August 2012