Bring Your Own Device (BYOD) has a long history: We have been fighting with mobile USB hard drives for more than 20 years. They're huge compared with whatever storage is on the server and being backed up. We look around and find a 250 GB hard drive here and a 500 GB hard drive there. They get attached to the network, taken home, and moved about with no record whatsoever.
More importantly, at our fingertips we have laptops, smart phones, tablets, Kindles, iPads and whatever they come up with next.
Devices get connected to the network. Data, security codes, client information and all kinds of information gets moved between devices and the network. Devices are taken home, connected together, and who knows what.
It doesn't take much imagination to see that data ends up where it doesn't belong: into security holes big enough to drive a truck through.
So what happens to this vital data that slips through the net? The upshot is that important company data becomes spread all over a series of devices with no controls whatsoever. This is very scary for IT Pros, even if clients don't appear to care!
Even if employees aren’t engaging in espionage, BYOD causes company data to be distributed across a variety of devices, not owned or controlled by the company. And, as a rule, these devices are easily lost or stolen. There's a huge market for scraping the data off lost and stolen devices.
Clients have always relied on companies such as LOGICnow to just take care of things, especially for backup functions if important data goes missing. They haven't had a bad experience (security breach, etc.). Therefore, they think we can keep doing whatever magic we do and protect them forever.
Clients honestly don't know how much danger they are in.
On top of all that, they are naturally resistant to passwords and complex security. So jumping through hoops to get devices connected is a tough sell.
Whether they like it or not, or whether they want it or not, we need to push them to deploy a BYOD policy for IT employees. Just smart phones and iPads alone are enough to justify this action; creating a policy forces them to bring the issues to the front of their mind.
[ Company Name ] BYOD ("Bring Your Own Device") Policy
[ Company Name ] acknowledges that the use of Personal Electronic Devices (including but not limited to laptop computers, tablets and smart phones) contributes to the effectiveness of our employees. This policy is established to govern the use of Personal Electronic Devices (PEDs) that access resources owned and managed by the company.
The company may from time-to-time publish lists of devices that may or may not be used to access company resources. Please contact our IT Service Provider if you have questions about devices that may be used to access company resources.
Every PED used to access company resources must be approved before it is used to access company resources. Every PED must have our management agent installed before accessing company resources.
Please note the following guidelines:
If your device allows for selective remote wiping of data, you may elect to have only the company-related data wiped.
[ Company Name ] pays a [ monthly / quarterly / annual ] stipend of [$_____] to the employee to compensate for the "company use" of a PED. This is the only compensation associated with this policy.
You might notice that this policy is designed to be partly enforcement-oriented and partly educational. Clients need a bit of cold water in the face around security sometimes. They put a premium on ease of use. You need to make sure they understand the balance between "easy" and secure.
It's also the case that forewarning clients a bit will help them to accept that a policy is a good idea. Having a policy such as this is critically important for clients subject to HIPAA, SOX or other compliance standards. But remember, most of the time you can comply with those policies simply by employing best practices.
These are best practices.
(Used with permission of Karl W. Palachuk, SmallBizThoughts.com)
LOGICnow recommends Three Take-Aways from this chapter: