BYOD Challenges can be handled through right policies
Bring your own device(BYOD) is a revolution happening at the user end and taken the infrastructure out of the control of ‘Information managers’. While the debate is going on whether or not BYOD policies save organizations money or cost them, it is slowly emerging that these policies increase complexity while decreasing direct control over information resources. Information security suddenly becomes a prime challenge as the devices now owned by the individuals & used for personal information purposes and the segregation & privacy of work information posing difficult practical problems. A robust BYOD policy coupled with an effective strategy can, to a reasonable extent, help restore the control and ensure a smooth transition to the inevitable BYOD revolution.
A strong framework of information security and a supporting policy guidelines are absolutely critical to ensure a smooth transition. The issue becomes more critical in the absence of a clear regulation and require an ironclad policy that is enforced rigorously. Typical tasks that are expected to include in the policy are clearly defined information classification, access policy rules from personal devices, user profiling, locking on security devices/OS, loss of device protection and data recovery methods and also have provisions for remote wipe and remote application management capabilities, the right to confiscate and search devices and the right to dictate which applications are allowed and prohibited. For example, IBM banned access to Apple’s Siri application as well as access to Dropbox, for company-managed devices.
In the extremely nebulous legal landscape, it is highly imperative that these policies should be cleared through the legal team to make sure that language is adequate and that it will work in all applicable jurisdictions. From a legal perspective, it is mandatory to review all licenses for cloud-based applications to ensure that data is handled responsibly in those environments. Review of these agreements should follow the same review and approval process that would be normally used when considering outsourcing partnerships.
The security framework need to answer questions like heavy weight or light security; security at server level or client level; security at device level, application level or information level, and so on. Other issues that cannot be overlooked are like bandwidth, software licenses, data plans etc. Similarly, users’ concerns like confiscating their devices and accessing the personal information need to addressed. Providing a method to secure copies of personal information, as well as a way to protect other pieces of private information (e.g., nonwork text messages, email and instant message logs) will go a long way toward easing those concerns.
Issues arising out of people using unmanned devices (eg.a user does not wish to participate in the officially sanctioned BYOD programme) may represent even greater risk to businesses than those people willingly agreeing to follow the rules.
While an in place, alysts and experts caution the organizations on the importance of having a strong BYOD policy the fact is that many organizations do not pay enough attention to this key fact and simply add a few lines to their existing wireless policy in an attempt to cover their bases. While it’s highly recommended that the BYOD strategy be in line with the corporate mobility strategy, just tweaking the mobility policy to accommodate BYOD is not enough. A separate policy that covers all possible aspects of BYOD is a basic necessity.
A policy is only as good as the people who follow it. Implementing a pilot and revisiting policy guidelines help to understand the ever evolving challenges. Further, policy-making needs to be treated as an evolving process and not a one time exercise to meet routene compliace or adherence to company policies. It is also important to build policies by implementing technical controls like mobile application management (MAM) and mobile device management (MDM) applications. Where possible, enforcing device encryption and passwords will help reduce associated technical risks. Improving access management requirements, such as by mandating two-step or two-factor authentication, can further help reduce the risk of a lost device immediately leading to a data breach.