BYOD — Personal Mobile Devices in the Workplace

Personal mobile devices present unique challenges in the modern workplace. Many companies work very hard to secure their networks from uncontrollable connections, only to expose it to their weakest links: their employees! It is good industry practice to maintain policies and procedures establishing controls around employee-controlled devices connecting to organization-controlled networks — even if those controls forbid such connections.
Completely forbidding access to company-owned networks from non-company-owned devices is one of the most secure policies you can establish for your information security program, but this option is not always feasible. Providing all employees with a company-owned device is another great choice, but more often than not this is out of budget. It is entirely possible to allow for a flexible work environment without compromising security.
By taking precautions and enforcing security controls, you can tackle most risk head on while still reaping the benefits of allowing the use of personal mobile devices.
Depending on your specific industry regulations, there may be requirements you need to meet that dictate how you manage mobile devices, both personal and company-owned, connecting to your network. ISO 27001, FedRAMP, NIST, and others all require security controls be put in place to manage the risks associated with the use of personal mobile devices on networks owned and operated by your business. Many of the common requirements spanning all industries include physical protection requirements, restriction on networks available to connect to, and cryptography use on the mobile device in question.
Consider requiring employees to use different mobile devices for business and for private use, and to only connect to the company network using their business device. A variation on this option is the enforcement of software use that supports the logical separation of business and private data on a mobile device used for both personal and corporate functions.
Even better would be to require specific settings on all mobile devices used to connect to the network. Controls such as the following can be implemented on virtually all mobile devices:
- Screen lock requiring a password to gain access to the device
- Use of biometric passwords
- Timed auto-lock
- Maintaining up to date software
- Storing backups of all business data held on a mobile device in a separate and secure manner
- Remote client allowing a “remote wipe” of devices for which user has signed authorization over to the company
It is especially important to emphasize the physical security of any and all mobile devices that connect to the company network and therefore may hold sensitive information. Mobile device users should remain vigilante when carrying the mobile device outside of company property. Care should be taken to be aware of the environment and to avoid accidentally leaving the device in a public space such as a city library, coffee shop, or taxi. Make sure to train your employees on the dangers and responsibilities of carrying sensitive data outside of company property.
Most importantly, be sure to document and disseminate the controls you put in place to protect your organization, and have version control in place to make sure they are up to date. Security measures cannot be enforced if employees are not aware of them. Only you can decide what controls are right for your business and your employees. Your employee personnel are simultaneously your weakest link and your greatest asset for security. Arm them with the knowledge they need to protect themselves and your business through documentation and training.
