Most people today have a mobile phone, most likely a smartphone. Many also have tablets or laptops. While these...
used to be items that a business would supply to it's workforce, the cost of these devices -- coupled with employees' highly mobile lifestyles -- has allowed them to become commonplace in the consumer space. Most employees do not want to carry multiple devices and have begun to push businesses to allow them to use their personal devices in lieu of one provided by the business. This has risk implications for an organization. Here are some things to keep in mind as you consider your path to establishing a bring-your-own-device management and security policy.
BYOD management: It's your data
Regardless of the ownership of the device, the data being accessed and processed belongs to the organization, and it needs to be protected as such. You need to understand how devices are backed up and synced to cloud drives and computers, as these can become vectors for a breach. End users need to be made aware of organzational policies, their responsibilities in regard to those policies, and sign an attestation agreeing to your policy for their bring-your-own-device (BYOD) privilege.
You can't be all things to all people
The number and types of devices out there is endless. It's not feasible to think an organization can manage or control all of them. Limit the scope of the devices you will allow. Only allow those devices with features that allow them to meet your security policies. Communicate this to your employees so they are aware when it's time for them to upgrade to a new device.
Expectations of privacy
You should be clear about the end user's expectation of privacy. Most management platforms allow you to see all the content on a device. The user should understand this and also know that if an issue arises, like a lawsuit or breach investigation, their device may need to be examined and personal information on the device may be revealed. In addition, the user should understand what will happen should their device be lost or if they leave the organization. They should also be aware of their responsibilities if they pass their device down to a spouse or child when they upgrade to the latest and greatest device.
Devices must be managed
You must have a way to manage and enforce policy on BYOD devices. This often involves a third-party solution that will install software on each device. End users should understand and expect this. You should have the ability to locate and wipe the device should it be lost or stolen, or if it's no longer in the possession of the end user.
Limit the scope of access
Only allow access to a minimal number of services. Email is a commonly accessed service allowed by most organizations. Carefully understand the implications of allowing general network or application access via these devices, especially if the device is remote.