Research>The Hitlist

The Hitlist: BYOD

“Bring Your Own Device” or BYOD is becoming an ever increasing topic among CIOs and other executives.  We are not here to argue the merits of BYOD, but we do want to mention a few key topics to think about if you consider implementing it.

1. Policy

The first thing an organization should have before implementing BYOD are policies that govern it.  They should cover topics such as: What is acceptable use, what types of devices can be used, what should I do if my device is lost or stolen, is MDM required, etc.

2. Corporate MDM (Mobile Device Management)

If personal devices will be on your corporate network, you must know where they are have some degree of control over them.  Most MDM solutions will enable you to require specific security features, lock or wipe lost/stolen devices, and require or prevent specific types of software from being installed.  Enterprise level MDM is a must.

3. Screen Lock Password

All mobile devices should be required to have a screen lock with a minimum of 5 alphanumeric characters in the passcode.  Anything less than 5 characters can quickly and easily be hacked.  This feature can be enforced through most MDM solutions.

4. Device Encryption

Again, this is another control which can be enforced through a MDM solution, and is a must have.  All mobile devices should be encrypted, without exception, ideally using a corporate encryption management system.  This is a straight forward way to reduce the impact of a lost or stolen device.

5. Jailbroken/Rooted Devices

No jailbroken or rooted devices should be allowed on your network, bottom line.  Even though these hacked devices can have many enticing features, they can also bypass many of the built-in security features on the devices.  This is another control which can be enforced though most mobile device management solutions.

6. Regular Updates

For mobile devices, you are at the mercy of the carriers for the latest updates, unfortunately.  For laptops and desktops, however, you have much more control.  As a matter of policy and enforcement, all devices should be running the latest updates available.

7. Separate Business and Personal Data

Ideally, you should put all corporate data into a separate container on mobile devices (also known as containerization).  Many times this is not practical from a user experience perspective.  Many containerization applications do not have all of the features that users want or need.  Without containerization, it is much more difficult to track corporate data.  How this is accomplished is something that should be addressed.

8. Know Where Your Data Resides

If you don’t know where your data is, how can you protect it?  Make sure data you thought was secure, doesn’t walk out of your walls on a mobile device.

9. Data Loss Prevention

DLP allows an organization to track its data and to prevent it from leaving its walls.  This first requires know where your data is, who can access it, how it can be accessed, and having control over the devices on your network.

BYOD is not something that should start over night.  This should be well thought out and considered and weighed against the risk and benefit.  Compliance, Remote Access, Network Security, Wireless Configuration and many other facets of the enterprise should be considered before allowing users to bring their own devices.