Every small business owner needs to read this post about personal devices in the workplace and controlling access to your company files. Your employees want to use their own laptops and smartphones to work from, and you may be thinking that if it saves you from having to purchase a device for them, what’s the harm? BYOD or Bring Your Own Device is a grey area in terms of privacy and security. Without stringent data management policy and controls in place, employers are unable to adequately protect company and client data, and this is true whether the company or the employee owns the device.
We’ve seen it many times - important small business IT security practices being compromised by employee devices on the network, or by employers who failed to see the risks in poor BYOD, network security, and data management policy.
So how do you avoid compromising overall network security when using BYOD? By learning more about smart BYOD and Choose Your Own Device CYOD as an alternative.
Employee Owned Computers In The Workplace
You may think that a major benefit of BYOD is not having to purchase hardware for employees. While you may save a few dollars on the hardware purchase, you are also losing out on control of said hardware. And that’s important.
You should control any device that touches your company data. There are several ways to accomplish this under your BYOD policy, but CYOD is still the better option here. With CYOD, you purchase, own and control the equipment, dictate the computer security requirements, and provide the computer support, so you stay in charge of data privacy and security.
You also get a tax deduction for said purchases, retain all warranties in your name, and can re-purpose equipment as you see fit based on ever changing organizational needs.
Updated Hardware & Software
A homogenous fleet of devices can reduce your IT support costs.
If your BYOD policy doesn’t outline which devices and operating systems you will support, employees can use anything and everything.
Employees may be using out of date operating systems and software that is more prone to breach that what you have on the office computers. Employees may be lax about keeping their personal computers updated to prevent malware. And your IT Support budget will be heavily taxed when your IT providers have to support all the various Macs, PC’s, laptops and smartphones and their various operating systems, versions, differences and quirks.
You can better control IT costs and minimize problems by clearly defining what devices and operating systems you will support.
Again, CYOD is a better choice here, because not only do you choose and purchase computers running similar systems to build a homogeneous network that is easier and less costly to secure, but you also own the equipment and can enforce regular software, security and antivirus updates. In fact, most Managed IT Service Providers do that for you as part of your service level agreement.
If you don’t have an in house IT employee, you should have a Managed IT Provider who will oversee your computer security.
Password Policy & Screen Lock
Practicing good security across your team.
Every year a list of most common passwords is published, and the last thing you want is your employees using anything on that list. Even seemingly good passwords fail to pass the test of a truly strong password.
Older passwords are higher risk than new passwords, and that’s why having a password policy that forces password changes every 90 days is a smart layer in your layered approach to overall network security. (You can download our password policy guide here.)
Both strong passwords and screen locks help add layers to your overall security. In the event of a lost or stolen device, they can delay access to data long enough for you to have IT remote in and wipe the device of sensitive data, assuming you have that feature setup.
Employees may be hesitant to use strong passwords, citing difficulty remembering the password as their main objection. Strong passwords are no more difficult to remember when personalized by the user.
Employees may remove screen locks if they find them to be “annoying”. Enforcing these layers of security is easier to do when the right infrastructure is in place, and that is most likely to occur on company owned equipment.
Installing Antivirus & Firewalls On Staff Computers
Protecting points of entry.
A good BYOD policy will enforce the installation of antivirus and firewall software on employee owned computers that are used in the workplace. However, this is a privacy grey area. Employees have made complaints that this steps on their privacy rights. We’ve seen many employers back down to an employee who digs their heels in and repeats that they “just don’t want it”.
The biggest mistake a small business owner can make is to think or act like a small business and to give in to such demands. In a Fortune 500 company, personal feelings about computer security are not valid arguments - best practices are upheld. When it comes to computer security practices for small business- think and act like big business. Gently but firmly inform employees of what must be implemented, and why, and that no exceptions can be made because the potential risk is just too great, and too expensive to repair.
For every computer being used in the workplace, or connecting to the workplace WiFi, the employer should have the ability to "manage" the computer, including but not limited to installing good antivirus software on the computer, and enforcing software and security updates every week or so. If employees don't want their personal devices to be managed by the employer, then they should not be allowed to connect to the network. Employers may wish to move to a CYOD instead of a BYOD environment, or to simply deny all outside devices from connecting and only allow company owned and managed devices to connect to the network.
Administrative Control On Computers
Reducing accidental or intentional sabotage.
Computers are shipped from the manufacturer with the default user account having full administrative control. This allows you to install any software you wish when you receive your new computer. Most people never change the default user account. Most people don’t know that creating a standard user account which removes the ability to install software- and to inadvertently install malicious software- greatly reduces risk. This one simple change can prevent many costly malware infections. It costs you nothing extra, and you should enforce it on all computers.
But, because a standard user account can’t install software, employees argue that they do not want this “restriction” on their personal computers or smartphones. And that makes sense for them, but it doesn't make sense for any computer connecting to your network.
Any decent IT consultant will advise you to take this basic precaution on all your systems, and we provide a DIY instruction guide to remove administrative control from Windows based computers here.
If you do proceed with BYOD for your small business, be sure to stipulate that all computers connecting to the company must have administrative control revoked. Only your dedicated IT employee, IT support company or IT liaison in your office should be installing software on computers when required. Realistically, aside from the initial computer setup, the need to install new software is rather infrequent. The minor inconvenience of having a dedicated person responsible for vetting and approving all new installs is far outweighed by the extra layer of computer security this small change affords you.
Remote Data Wiping Of Company Computers
Reduce risk in cases of employee termination or device theft & loss.
About 20% of data loss events occur from lost or stolen devices. Another data control risk comes from terminated or former employees.
Ideally, your company owned devices would have data protection in place via remote data wiping capability, or no data on the computer at all. You can achieve this through virtual workstations, or cloud solutions that don’t allow any data syncing to the device itself.
You can also use partitions to mitigate risk and data mixing. If using BYOD devices, you can partition computer hard drives into 2 compartments - one for personal use, one for business use. This helps keep company data separate from personal data, contacts, music, family photos etc, should the need for remote wiping the computer come into play. The work partition or compartment should be encrypted to protect it from falling into the wrong hands.
By contrast, wiping an employee owned computer would also delete all their personal information, and no employee would rightfully agree to that. Instead of compromising on best IT practices, speak to your IT provider about how to best approach data management in your business.
Who is allowed to connect to your company data?
Whether you are using BYOD, CYOD or just good old fashioned computers in the office, you should have an effective means of user authentication in place.
This is the process of verifying an individual's identity prior to granting them access to a resource- such as your files or server.
Otherwise, in theory, anyone could remote in, walk in or bring in a spare device, connect to your network and take or do what they want.
User authentication infrastructure requires some investment, but it is a sound investment for the growing small to mid sized business.
The Onus Of IT Security
Protecting your business long term.
As the business owner, you carry all the risk in the event of a data breach, so your top priority should be network security above employee personal preferences. It can be difficult for small business owners to make these “tough calls”. Part of the appeal of small business is the camaraderie on a small team, and drawing a line in the sand when it comes to network security can feel a little bit awkward.
At the end of the day, you simply need to communicate to your team that you are making changes to protect the company long term, it's reputation, and the jobs of all employees, and trust that everyone will act professionally when adapting to new IT changes. A little explanation and patience while your team acclimates to the IT changes you set out will go a long way.
Don’t be afraid to make the tough calls and the right choices due to a little resistance. After a short time, your team will adapt to the changes and everything will be business as usual.
What Should Your BYOD Policy Cover?
Firstly, if you do decide to proceed with BYOD, be sure that your policy is very specific - covering all areas above as well as who covers the cost of ongoing support - the employee, the company, or both. Document all details and distribute the policy to all existing and new employees.
Secondly, ensure your policy matches your needs. Information security is a concern for all small businesses but it does vary. If you operate in a highly regulated industry or house sensitive client information such as health or financial records, your needs will be different from say, a graphic design company or a landscaping company. Protecting your intellectual property and contact lists is also a concern for small and mid sized companies in many industries such as market research, logistics and more.
Finally, be sure to review your policy annually because technology and privacy issues are always changing.
BYOD & Data Management Solutions In Toronto: Today, every business must also be a tech business, or have skilled IT technicians on hand to help with complex technical needs. TUCU is tech u can use- a Managed IT Services Provider in Toronto since 2003. We are ready to help you better understand and choose data management solutions that will work for your business. Schedule your free consultation to discover how IT security improvements can serve you.
Ready to make some changes?
Speak to our Toronto IT Consultants for options & an estimate.