Create a Bring Your Own Device Policy where Both Employee & Employer Win
Christmastime is a popular time for people to get new devices. Do your employees bring their own devices into work and connect them to your network? Do you have an existing Bring Your Own Device policy? If you don’t already have a policy regarding employee-owned devices at work, creating one should be on your list for this year.
Protecting Your Network
If the devices brought in are not managed in any way by your company, it’s possible they open up a major attack vector when on your network. Short of barring all devices from being brought into the workplace, you should provide separate internet access for employee devices or manage the devices themselves.
A separate network would entail a special WiFi connection for employees that allows no access to your internal network. But this may not be an ideal solution because a lot of times their devices could make them more productive at work, through providing a separate touch screen at their desk or being able to access company resources during a meeting. This is when managing their devices would be a better option.
Using MDM to Set Mobile Policies
You may already have a mobile device management (MDM) solution in place for your business-owned devices. A MDM solution allows devices to have policies (such as certificates to access WiFi or shortcuts to intranet sites) and applications might be pushed to the device. It can also allow only approved apps to be installed on the devices. This means a device could be managed in such a way to provide automatic connection to a certain WiFi network which is not connected to your intranet, or it can be configured to really lock down the device. Depending on the policy you institute on employee-owned devices, completely locking down the device may not be desirable.
With an MDM enrolled device, you can specify that there is a certain level of access through the firewall, so you can block sites the same way you do for your company-owned devices. This can prevent phishing and malware getting in through poor internet browsing habits. Another security benefit of a MDM is remote wiping.
Protecting Lost or Stolen Mobile Devices
There are two options for remote wiping devices with a MDM. You can choose to fully wipe the device or selectively wipe it. This gives you a better option for clearing sensitive data off of a device if an employee is leaving the company, because a selective wipe doesn’t erase the whole device. It can be configured to only wipe company-related areas or disable certain policies enabled while the device was enrolled.
A full wipe resets the device to factory. This is something that would be considered for a lost or stolen device to remove data from the device that could be used to steal the identity of the device owner, either for purchasing items or masquerading as the owner in email or other messaging services.
Nearly all MDM solutions also offer a lock option which will lock the device with a code specified at the time of locking it. This may be more desirable for a lost device because it can prevent the need to reload a lot of data if it turns up in the bottom of the owner’s bag or drawer.
Strongly consider security when using a WiFi router at your business for employee use. Devices connecting to your network can introduce a lot of issues when they have unrestricted access. Utilizing a Mobile Device Management solution should be part of your Bring Your Own Device policy.