There is a movement going on that encourages more employees to bring their own devices to work with them. As the White House puts it, “the implementation of BYOD needs to be an iterative process.” Start with small connections, like allowing workers to receive email on their personal phones or tablets. You may allow monitored Internet access on a guest network.
The benefits of letting employees use their own gear involve better productivity. People are happier using devices they are familiar with, and bringing a computer or tablet to work also leads to higher job satisfaction. A feeling of privilege.
But for the security conscious, BYOD represents a significant risk.
Adding a Device You Have No Control Over
If you’re the type that requires total control over your network and likes to monitor every aspect of it, then BYOD is not for you. It presents a considerable risk because your IT department may not be able to service the device if software is not recognized or the user has other applications interfering with his or her job functions. You may not be able to easily monitor a user’s action to test his productivity either.
Without regular access and proprietary software, your IT department must expand its knowledgebase in order to deal with the sheer number of possible devices. It helps to lay out a policy that details basic security requirements for all users before a device can be brought to work.
Security Holes Created by Irresponsible Users
Users who do not update their operating systems or purchase quality antivirus software are at risk of data theft or malware. Consider the Apple iPhone leak, in which an employee had left his phone in a bar, where a patron recovered and leaked photos of it. The best way into a secure network is through the weakest access points, which are usually low-level employees.
Ask employees to consider these extra steps before joining your network. You do not want private data or a weak access point in the hands of a competitor.
Loss of a Device
When an employee connects to your network to receive his email or retrieve files, the connection is usually left open when the device is pocketed or suspended. If that device were lost, your data could be open to a third party that you have no control over. Be sure that employees report lost devices immediately, and that the devices are blocked and remotely shut down. You can use services like iCloud and Samsung Kies to remotely wipe the iPhone and Galaxy smartphones if you think they are lost.
Also encourage users to routinely back up their data to the respective cloud services, offering Dropbox as an alternative as well. That way you minimize the risk of user’s losing sensitive data they may keep on their person.
It’s clear that letting employees bring their own devices to work presents a significant risk to your data. If employees work with customer data out of a home or café, that data is visible to passersby. If the user logs into an unsecured network and performs a data transfer, that data is vulnerable to attack. If a user contracts a virus, his computer can affect your network.
When considering the ethics and social impact of letting users bring their own devices to work, be sure to talk with your IT department and let them educate you on their concerns. Some departments may be more prepared than others, or may have a device preference that you can work with.