BYOD is a policy of allowing employees to bring their own computing devices into a work environment and connecting to the work network. This policy introduces a measure of risk and loss of control in the infrastructure of a company. Is the device unpatched and vulnerable? Are its contents encrypted? Does a hacker already have control over the device? That being said, a good BYOD policy can improve productivity, morale, and decrease hardware expenses for the company.
A good security policy addressing BYOD should be prepared by a security professional, however, there are steps the manager can take in the interim to mitigate some elements of risk.
1. Know the devices. You must know who is bringing what into your network. Do not allow employees to connect to the internal network with unknown devices. MAC filtering is appropriate in this respect.
2. Know the devices are patched and updated. A three year old tablet or phone probably isn't the best candidate for BYOD. Make sure the device is still receiving patched and updates.
3. Use Group Policy to enforce a complex password policy. IAMGOD, Password123, & spankm3 are common password and listed at the top of any hackers Rainbow Tables. A complex password policy should contain no less than 8 characters, a combination of upper and lower case, with special characters and numbers.
4. Users should not share access through a BYOD device. BYOD accountability should rest squarely on the shoulders of the employee introducing the device.
5. The device should be running antimalware. A smart-phone is a computer. No sane person would connect to the internet without some sort of protection. Phones are no longer exempt.
6. The contents of the device should be encrypted. If a device doesn’t not support encryption, it probably shouldn’t be allowed on the internal network to begin with.
7. The company needs to be clear about who owns the data that might be stored on the device. If a device is compromised or used in an unauthorized fashion, the company should be able to seize and delete the contents of the device.
8. No ‘Jail Broken’ or ‘Rooted’ devices should be allowed on the network. These devices are warranty void, may no longer be receiving updates or patched because of the root, and are extremely vulnerable to attack.
9. No passwords should be stored on the device. It is not the most pleasant thing to have to enter your password each time you log into a system, however, this helps assure the credentials will not be compromised in the event the phone is hacked.
10. Education and accountability. A policy that is unenforceable or without consequence is the same as no policy at all. After the initial outlay of the policy, resources need to be allocated to educate the employees. There needs to be resources allocated to ensure the BYOD policy is being enforced. Each BYOD user needs to sign an agreement that they alone are responsible for keeping their device compliant and subject to the consequences of a failure in compliance.
All these things being said, BYOD is a phenomenon that is here to stay. Education is the most important part of any policy. A happy employee is that employee which knows exactly what they need to do to accomplish their job. This is just another part of that.