Even before COVID, most employees no longer believed an office presence is necessary for a productive day’s work. Some reports support the idea that greater focus and productivity can come from employees working from home. Other reports support the idea that teams function best when physically present together. Most certainly, since broadband access became widespread, and as mobile devices became more affordable, remote work has grown.
In this post, we discuss BYOD for small business and SMB's, including BYOD risks and benefits, how we came to accept lax practices, and steps to take to improve data security in your organization.
In 2020, COVID sent us all home to work remotely.
Well before then, a 2008 Statistics Canada report showed that nearly twenty percent, or 1.7 million employees work from home or remotely.
In 2011, International Data Corporation estimated that by 2015, the United States would have 200 million remote workers. Canadian trends follow.
With Canada cited as a target for increased cyber attacks in 2019 and beyond, it is critical for small to mid sized businesses (SMB’s) who choose to adopt Bring Your Own Device (BYOD) access, to address the increased security risk that comes with it.
Summarizing BYOD Risks
The risks an SMB must protect themselves from are significant. They include:
- Lost & stolen devices with access to company data
- Hostile employees with access to company data
- Intentional or accidental download of company files to personal devices, making them available outside your secure domain or network
- Unmanaged employee owned devices with little or no security in place, connecting to home or public networks where viruses and malware can be picked up and brought on to the company network
A Special Note About Users
As with IT security in general, the weakest link in a company’s BYOD policy, is the human user.
In a 2010 market research study by Dell, 61% of Gen Y and 50% of workers aged thirty and over, believe their personal devices are more effective and productive than those used in their work life.
Respondents were focused on how security interrupts their preferred method of working on personal devices - not the security risk to the company.
With or without company approval, employees prefer and will work from a device they own and are comfortable with.
While BYOD has many benefits, employers need to ensure their IT infrastructure balances access with security protocols that protect company data and limit user ability to circumvent company security policy.
Summarizing BYOD Benefits
The benefits of BYOD include:
- Productivity; Estimates of up to 9 hours of productivity per week can be gained with remote work
- Service; Remote tools allow employees to respond to clients in real time
- Reduced Hardware Costs; Allowing access from personal devices reduces hardware investment costs for small business owners up front
A Special Note About Hardware
Company owned and managed equipment is more secure than employee owned devices.
As cyber threats increase, growing companies may wish to consider replacing BYOD with Choose Your Own Device (CYOD) policies, where the company owns all devices connecting to data. Either way, data security is a priority.
One troubling aspect of a published BYOD report is 52% of the surveyed SMBs are unsure if their data is adequately protected.
While they acknowledge that BYOD puts their organization at risk, just 22% currently have a comprehensive BYOD policy in place.
According to data compiled by the Ponemon Institute, 59% of organizations have experienced a rise in malware infections linked to insecure mobile devices.
The Evolution Of BYOD Risks & Benefits
How did we get here?
Not too long ago, work mobility was practically nonexistent. Employees worked from the office on company owned devices connected to the company exchange and file servers.
Later, select employees may have been issued company owned devices pre-loaded with select work related software.
A high degree of need and trust was required to be granted special permission to access or transfer company owned files.
When BlackBerry phones were introduced, enabling remote email and calendar access, the BlackBerry Enterprise Server made it easy for IT departments to configure and manage the devices securely.
These Choose Your Own Device (CYOD) frameworks were far more secure than the average BYOD setup today.
Soon, mobile devices from other manufacturers became popular, however they lacked the security tools BlackBerry Enterprise Server offered. For the sake of convenience, these devices were adopted alongside BlackBerry devices for remote work purposes.
Today, it is not uncommon for small businesses to jump into open access to company data for employee owned devices of any make and model, without any input from an IT professional, and without any BYOD security or management tools in place.
iPhones, Android phones and a myriad of tablets and laptops are all connecting to company data, insecure home networks, and risky public WiFi hotspots without enough security in place.
What BYOD For Small Business Should Include
Without stringent data management policy and controls in place, employers are unable to adequately protect company and client data, and this is true whether the company or the employee owns the device. Here are ways for SMB’s to reduce risk.
Choose Your Mobile Device Management (MDM) Tools
MDM tools allow you to create secure policies for devices connecting to your data. They can enable and enforce:
• User authentication – who can connect to company data
• Password Policy – enforce secure passwords that meet minimum requirements
• Enforce data encryption – prevent non-encrypted devices from connecting
• Enforce screen locks – extra protection on devices leaving the premises
• Remote Device Wipe – in the event of theft, loss or employee exit, company data can be wiped from employee owned devices
Obtain User Consent
Clearly define remote wipe capabilities.
Obtain written consent from employees to remotely wipe a lost or stolen device.
Obtain written consent to remotely wipe company data from a personal device in the event of employee departure from the company.
Create An Acceptable Use Policy
Address user behaviour by creating and enforcing your Acceptable Use Policy
IT security has multiple layers. One often overlooked layer is users and user behaviour. It is important to define acceptable and unacceptable behaviours for working remotely. Be sure to communicate your Acceptable Use Policy to your employees upon hiring them. Review the policies at team meetings to combat complacency. Make it clear that exceptions to the rules can not be allowed. Good cyber security habits must be adopted into company culture.
Clearly define what types of devices are allowed. Most Mobile Device Management tools have device specification minimums. In addition, you want to lower your cost of managing devices by limiting the number of models supported by your IT providers.
Clearly state rules for web browsing, app downloads, public WiFi use, and data transmission or storage guidelines for any device connecting to the company network.
Enforce Conditional Cloud Only File Access
Many SMB’s will only allow employees to access and edit documents in the cloud - local downloads to personal devices are not permitted. These administrative control options are available in professional MDM tools for platforms such as Office 365 and G Suite. They are effective in reducing data leaks. Your IT support company can help you setup the right systems so you can use these security tools.
Enforce Screen Locks & Password Protection
MDM tools enable both security features.
Your employees take personal devices across the city and the globe as they travel for work and leisure. Loss or theft can happen at any time.
Devices laying around, without screen locks or password protection, pose a big risk to your company.
A high number of users reported removing screen locks because they are “annoying”.
46% of people who use their mobile device for work admit to letting others use it from time to time.
Limit risk by using MDM tools to enforce screen locks and password protection.
Revoke Access Upon Employee Exit
As a standard practice, promptly revoke access to company data upon termination or voluntary exit of any employee.
Consider remotely wiping company data from the personal device of any employee leaving the company. This requires that prior consent be obtained.
This is a difficult to control area. It is important that your mobile and acceptable use policies clearly state or restrict how and where company files can be accessed or edited, and how and when BYOD devices owned by employees may be wiped.
Putting It All Together
An internet search of data breaches linked to smartphones and tablets can reveal the extensive losses experienced by companies who failed to implement secure BYOD practices.
As of February 2019, the iOS app store had 2,200,000 available apps for download, and the Google Play store is keeping step. The security controls in place to evaluate the safety of these apps, which employees download to personal devices connecting to company data, are not foolproof. Many have been found to contain malware, spyware and phishing screens.
Employee content can put company data at risk.
The adoption of a CYOD or BYOD framework can be beneficial to small business, but it should not compromise company or customer data, or put the company at undue risk.
TUCU is a highly rated IT Security Services Company in Toronto. Developing a comprehensive BYOD policy to minimize risk, while still empowering your workforce to use mobile tools is one of the main services we offer here at TUCU. Since Mobile Device Management is an ongoing process, and just one layer of your IT security, more SMB’s are turning to outsourced Cloud Management Services and Managed IT Services to access the professional IT support they need to reduce risk. Schedule your free phone consultation to explore our IT management services.