BYOD: Bring Your Own Destruction!

Karl Palachuk

Bring Your Own Device (BYOD) has a long history: We have been fighting with mobile USB hard drives for more than 20 years. They're huge compared with whatever storage is on the server and being backed up. We look around and find a 250 GB hard drive here and a 500 GB hard drive there. They get attached to the network, taken home, and moved about with no record whatsoever.

More importantly, at our fingertips we have laptops, smart phones, tablets, Kindles, iPads and whatever they come up with next.

Devices get connected to the network. Data, security codes, client information and all kinds of information gets moved between devices and the network. Devices are taken home, connected together, and who knows what.

BYOD can become "Bring Your Own Destruction"

It doesn't take much imagination to see that data ends up where it doesn't belong: into security holes big enough to drive a truck through.

The Achilles heel of data security

So what happens to this vital data that slips through the net? The upshot is that important company data becomes spread all over a series of devices with no controls whatsoever. This is very scary for IT Pros, even if clients don't appear to care!

Even if employees aren’t engaging in espionage, BYOD causes company data to be distributed across a variety of devices, not owned or controlled by the company. And, as a rule, these devices are easily lost or stolen. There's a huge market for scraping the data off lost and stolen devices.

Clients have always relied on companies such as LOGICnow to just take care of things, especially for backup functions if important data goes missing. They haven't had a bad experience (security breach, etc.). Therefore, they think we can keep doing whatever magic we do and protect them forever.

Clients honestly don't know how much danger they are in.

On top of all that, they are naturally resistant to passwords and complex security. So jumping through hoops to get devices connected is a tough sell.

Whether they like it or not, or whether they want it or not, we need to push them to deploy a BYOD policy for IT employees. Just smart phones and iPads alone are enough to justify this action; creating a policy forces them to bring the issues to the front of their mind.

BYOD ("Bring Your Own Device") User Policy

[ Company Name ] BYOD ("Bring Your Own Device") Policy

[ Company Name ] acknowledges that the use of Personal Electronic Devices (including but not limited to laptop computers, tablets and smart phones) contributes to the effectiveness of our employees. This policy is established to govern the use of Personal Electronic Devices (PEDs) that access resources owned and managed by the company.

The company may from time-to-time publish lists of devices that may or may not be used to access company resources. Please contact our IT Service Provider if you have questions about devices that may be used to access company resources.

Every PED used to access company resources must be approved before it is used to access company resources. Every PED must have our management agent installed before accessing company resources.

Please note the following guidelines:

  • Your account access will be locked whenever there are [_____] unsuccessful attempts to log into your account.
  • The PED must employ a "screen saver" or time-out function that automatically locks the device within [_____] minutes or less of non-use.
  • Your PED must require a password to operate or get past the lock-out screen.
  • Your PED password must be changed at least once every [_____] days. Passwords must be compliant with company-wide password policies.
  • No attached PED that accesses company resources may be operated in a manner that is illegal or in violation of any end user license agreements associated with any hardware or software on the PED.
  • You are responsible for all costs associated with the operation of your PED, including but not limited to data service plans.
  • Your PED will be "wiped" and all data erased if any of the following occurs: The PED is lost or stolen; Our monitoring system determines that your device is associated with a data breach or security breach of any kind.

If your device allows for selective remote wiping of data, you may elect to have only the company-related data wiped.

Optional:
[ Company Name ] pays a [ monthly / quarterly / annual ] stipend of [$_____] to the employee to compensate for the "company use" of a PED. This is the only compensation associated with this policy.

So what does all this mean to you?

You might notice that this policy is designed to be partly enforcement-oriented and partly educational. Clients need a bit of cold water in the face around security sometimes. They put a premium on ease of use. You need to make sure they understand the balance between "easy" and secure.

It's also the case that forewarning clients a bit will help them to accept that a policy is a good idea. Having a policy such as this is critically important for clients subject to HIPAA, SOX or other compliance standards. But remember, most of the time you can comply with those policies simply by employing best practices.

These are best practices.

(Used with permission of Karl W. Palachuk, SmallBizThoughts.com)

LOGICnow recommends Three Take-Aways from this chapter:

  1. Your BYOD policy should be both educational and enforcement-focused.
  2. You will need an RMM tool that supports Mobile Device Management.
  3. If possible, demonstrate to a client what a mobile wipe looks like.