Scan your desk, drawers, and work bag quickly. Did you see a cell phone? A smartphone? A tablet? A non-company owned laptop? Most likely, your answer is “yes.”
If that’s the case, then your employees also likely have one. Every day these devices engage with your networks and present security threats. Although many small and mid-sized businesses allow personal devices, not all understand how to best protect their data environments from the cybersecurity threats they present. Creating an effective Bring-Your-Own-Device (BYOD) policy and monitoring employee security protects your enterprise and your customers.
What is a Bring-Your-Own-Device Policy?
Interchangeably referred to as a Bring-Your-Own-Device (BYOD), Bring-Your-Own-Phone (BYOP), Bring-Your-Own-Personal-Computer (BYOPC), and Bring-Your-Own-Technology (BYOT) policies, these documents establish security rules for employee-owned devices.
Most employees are going to bring their smartphones to work. They’ll want to connect them to the WiFi network just as they would connect any other device. What they (and possibly you as the business owner) don’t always think about is the security risk that poses. Protecting your data environment while also making sure that employees retain their privacy rights walks a difficult legal tightrope. Creating the appropriate policy for your business requires you to balance information security risks with employment law issues.
What are some of the employment law issues I need to worry about with a BYOD Policy?
Personal devices provide employers with a constantly connected workforce. While the ability to work remotely provides employees with flexibility, it can also risk your data and your status as a compliant company.
Employees may not realize they’re storing your information on their devices. Old devices containing stored information can get lost or resold and put your data at risk. Accidentally downloaded malware can also lead to information leakage, and stolen devices may lead to stolen passwords.
Employees who terminate their employment, either willingly or not, often retain company information on their devices. Former employees present both a technical and personal risk. On the one hand, the information may be negligently compromised. The other concern is that terminated employees can also become a malicious data risk if they’re angry with the company.
Fair Labor Standards
Constantly connected employees make businesses more profitable in theory. However, remote access also creates an issue regarding hours worked. You need to ensure that your company is meeting fair labor requirements by tracking employee time for those protected by these laws, whether they are in the office or pulling in long hours from home or on travel.
Many states have privacy laws protecting employee social media use, even if they do it on a company-owned device. You can’t request or require access to their social media accounts and may not be allowed to access employee-protected healthcare information that could also be stored on their device.
What are some of the data security issues presented by employee devices?
You may prefer not to give out your network password to employees because you don’t want them connecting their devices to your corporate wireless network. However, maintaining control over the devices that connect to your networks doesn’t always protect you. Even if your employees are only using their cellular data while in your office, they can still put your information at risk.
Everyone has lost a cell phone or misplaced it at some point in time. Even if the employee recovers the device, information on there could have been compromised. Even if the employee isn’t doing work from their device, they may have texts or social media messages discussing privileged information. Moreover, many employees store passwords on their phones either through password management applications, automatically through their settings, or in notes applications. If they lose or misplace a device, they create a cybersecurity risk even if they never connected that device to your private corporate network.
Phishing, smishing (texts that link to malicious websites), whaling and other social engineering attacks compromise mobile devices as much as they compromise corporate-owned devices. These attacks place any information on the devices at risk, even information that you don’t know is there.
Employees connect to public wireless networks regularly, whether at the local Starbucks or the airport. Employees trying to speed up their connections or trying to save data put your information at risk. Moreover, the increase in the Internet of Things (IoT) use means that they are also allowing their phones to be continuously Bluetooth discoverable. Both unsecured networks and Bluetooth discoverability leave devices vulnerable to hackers trying to gain access to mobile devices.
What should a BYOD Policy include?
You want to protect your data, but you also need to be aware of employee rights. All of this makes creating a BYOD policy difficult. Work devices are in your control, but employee devices may not be. To protect your information as well as your organization, you need to maintain a policy detailing employee device use and ensure employees understand their responsibilities. The following are topics covered in BYOD policies, so you can make decisions that most directly apply to your business and working style.
Defining “Acceptable Use” for your employees is the first step to creating an effective BYOD policy. Employees need to know exactly how they can use their devices in the office.
You can include a variety of uses focused on your own business needs, including but not limited to:
- Use that directly or indirectly supports business.
- Personal use limited by reasonable time spent on personal communication and entertainment.
- A list of websites and application that are blocked during work hours or while connected to company networks.
- Disabling camerasInformation never allowed to be stored on a device.
- A list of websites and application allowed such as social media, productivity, news, and weather applications.
- A list of applications not allowed.
- A list of company resources that employees can access from devices such as email, calendars, contacts, or documents.
- A zero-tolerance policy for texting/emailing while driving.
- A policy requiring hands-free talking while driving.
Devices and Support
Your employees may either be using devices you own or the devices they own. While you can’t control the devices that your employees purchase, you can control what they bring into the office. Older devices, for example, may not have the most updated operating systems and thus open you to a security risk.
This part of the policy should provide information including but not limited to:
- A list of smartphones that details acceptable brand, model, operating system, and version and anything else your risk assessment deems necessary.
- A list of tablets that details acceptable brand, model, operating system, and version and anything else your risk assessment deems necessary.
- Issues for which your employees should contact their device manufacturer or carrier
- Requiring employees to bring devices to the IT department for configuring applications such as browsers, productivity tools, and security tools before allowing network access.
Having a BYOD policy also requires you to think through the implications of reimbursement, even though it is not a security issue. If you require employees to work from home or require certain devices, you also need to let them know how much financial support you’re going to offer them.
This part of the policy should incorporate at least some of the following:
- Whether you will reimburse part of the cost of a device.
- How much the company will reimburse (either a specific amount or specific percentage).
- Whether you will help pay for a data plan either as an allowance, the entire plan/phone, or a percentage of the plan/phone.
- Whether you will reimburse for additional charges, including but not limited to roaming or overages.
- Who owns the software and data on the device being used?
If your employees are accessing your networks, then you have the right and obligation to detail your security requirements. If you don’t discuss this with employees, then they may not know the risks their devices pose.
To ensure security over personal devices, you should determine which of the following you want to apply to your organization:
- Password protecting devices according to the device’s abilities.
- Requiring a strong password for the device if it accesses the networkDefinition of a “strong password."
- Automatic device lock requirements.
- Number of failed login attempts before the device locks and needs IT to reset access.
- Forbidding employees from using devices that bypass manufacturer settings (i.e. jailbroken or rooted devices).
- Preventing downloading or installing applications not on the “allowed” list.
- Preventing devices not listed in the policy from accessing the network.
- Preventing employee-owned “personal use only” devices from connecting to the network.
- Restricting employee access to company data based on the user profiles your IT department defines.
- When you can remotely wipe the device, including but not limited to when the device is lost, when the employment relationship ends, and when IT detects a data breach, policy breach, virus, or another security risk to your data environment.
You’ve protected yourself as much as possible. However, in a litigious society like ours, you need to make sure that everyone knows what you are responsible for and what you’re not responsible for.
In this section of the policy, you’re laying out your legal protections so that you aren’t sued for a variety of events including but not limited to:
- Employee backing up their data in case the IT department needs to do a remote wipe of the device.
- Ability to disconnect devices or disable services without notifying the employee.
- Employee requirement to report lost or stolen devices within 24 hours.
- Employee requirement to notify their carrier about a lost or stolen device.
- Employee liability for device costs.
- Expectations for ethical device use.
- A requirement that employees use devices only as allowed in the acceptable use section.
- Employee liability for risks including, but not limited to, operating system crashes that cause information loss, errors, bugs, viruses, malware, and/or software and hardware failures, programming errors that make the device unusable.
- Disciplinary action, including employment termination, against employees not following the policy.
How Zeguro Simplifies BYOD Policy Creation
Simplifying the complexities of security is our goal. Zeguro’s platform incorporated easily customizable policy templates to help you rapidly transition into a compliant organization. Our Acceptable Use template helps you create an enterprise BYOD that matches your size and information assets.
With our employee training modules, you can supplement your BYOD policy by empowering your employees with up-to-date information covering mobile device security and public WiFi threats.
For more information about ways Zeguro can help you get compliant, contact us to schedule a conversation.