Bring your own device (BYOD), in theory, is a beautiful thing. Employees are free to use their personal devices at work, allowing for more efficiency and flexibility. Not to mention that employers save on outfitting an entire company with PCs, phones and tablets, while at the same time getting a more reachable employee.
Yet the reality of BYOD is a lot more complex. It complicates the discussions around employer and employee rights, how company data can and should be stored on a device that doesn’t belong to the company and what responsibility and accountability an employee has to keep company data secure. These challenges alone seem complicated and difficult to handle. Combine these with the fact that a good BYOD policy must also address the different work and tech styles of three employee generations and their varying levels of tech savviness, and a solid policy seems near impossible to create.
When approaching the problem of creating a BYOD policy that works for your company, a good first step is to understand how your employees use their technology, what weaknesses each is most likely to exhibit when it comes to security and how to address those weaknesses.
According to the U.S. Bureau of Labor and Statistics, the millennial generation will dominate the workforce by 2015. This is also the generation that is driving the adoption of BYOD. Millennials are mobile, work anywhere and everywhere, and the odds are pretty good that, whether or not you have a BYOD policy in place, they will use their personal devices for and during work.
A 2012 survey by Vision Critical found that 36 percent of milliennials have broken or would break a company policy banning BYODs. In the same survey, 55 percent responded that using their mobile device at work is a “right” versus a “privilege.” Sixty-six percent of respondents also said that they are responsible for the security of their devices, not their companies. This “do-what-I-want” attitude makes millennials a huge security risk for companies.
A good BYOD policy has an ongoing emphasis on education, training and communication. It should never be assumed that your employees understand all the guidelines spelled out in your policy.” Joe Ross
When crafting a BYOD policy for millennials, it can be helpful to keep this attitude in mind. Assume the rules are going to be broken and provide them with the tools they need to keep their devices—and your company information—safe.
A few tools to keep in mind:
- This group likes working on-the-go. Give them a resource to avoid using risky open WiFi networks. A VPN or hotspot are good alternative solutions.
- Create and provide standard antivirus, anti-malware protection for all types of devices.
- Separate data and applications from personal devices. Use cloud technologies to provide virtual desktops that employees can access on a browser. This eliminates storage of data on devices.
- Consider proactive monitoring for your company. By proactively monitoring for employee credentials on the Internet black market, businesses can determine when an employee may have been compromised without needing any input from the employee. Businesses can then alert the employee that their device has been compromised and ask them to update their logins and passwords.
On generation X
Workers in Generation X have a surprisingly similar approach to security as millennials. That is to say, they take a somewhat laissez-faire approach when it comes to BYOD security. A 2014 survey by security group Fortinet found around 40 percent of Generation X and millennial respondents said they never change their passwords on devices except when prompted to do so. Forty-percent of both groups say they use the same passwords across multiple websites. One area where Generation X had a slightly poorer showing than millennials was mobile security. About half of Generation Xers polled by Fortinet locked their mobile devices, compared to 63 percent of millennials.
These survey results underscore the importance of a having a BYOD policy that clearly spells out even the most basic security rules and makes them mandatory, for example:
- Require your employees to update their device passwords every three months, or provide some sort of two-factor authentication method that will mitigate data loss in the event of a lost device or breach.
- Require that employees use a PIN code for any mobile device that hosts company information.
- Require that employees report any lost or stolen devices ASAP.
On baby boomers
It is no surprise that baby boomers are the least technologically savvy of the group. While millennials were born with a cell phone in their hands, baby boomers were born before cell phones, tablets and PCs—some were even born before the advent of color TV. A recent Gartner study found that 61 percent of 65+ year olds still use a basic cell phone compared to 24 percent of 18 to 29 year olds. Similarly, 59 percent of the older group use a desktop PC compared to 41 percent of the younger group. Most baby boomers in the work force have the technical expertise to work on their own devices but may not have the know-how to keep them secure.
With this in mind, a good BYOD policy has an ongoing emphasis on education, training and communication. It should never be assumed that your employees understand all the guidelines spelled out in your policy. Give them easy access to staff members that can explain the policy and help with any technology implementation. Keeping an open line of communication will ensure that employees have access to the technical support they need. It will also give IT the ability to quickly communicate new and emerging threats that employees should watch out for.
A good BYOD policy is never done
A BYOD policy should never be considered complete. Security threats are constantly evolving and a good BYOD policy should be frequently updated to keep up with these threats as well as employee habits. An understanding of the strengths and limitations of your employees and their different ways of approaching security should make this process much easier as well as create a collaborative environment to implement new BYOD security measures.
By Joe Ross is the president and co-founder of CSID
Republished with permission from the International Association of Privacy Professionals (IAPP)