Having the right technology is often the key to a successful business, but not every company has the means to provide its employees with devices like laptops, smartphones and tablets. For this reason, BYOD (bring your own device) policies are becoming increasingly popular.
But these policies can get complicated, as employees using their personal devices for work can be a major security issue. For a successful (and safe!) BYOD program, businesses need to make sure they take proper security measures.
Want to implement a BYOD policy in your office? Thiruvadinathan A., director of security and compliance at IT company Happiest Minds shared these tips.
1. Have a defined email security policy. A lot of important information is exchanged via email within a company, so it's critical to protect that information, A. said, noting that there are simple ways to do so through a company's existing email infrastructure using suites like Microsoft Exchange or Office 365. [For a side-by-side comparison of the best anti-virus software for small business, visit our sister site, Business.com]
For example, "you can limit email retention and attachment sizes," A. said. "By limitingthe retention of email on a device, management can make [the] passage of time … work to their advantage. If a device without a retention policy was accessed by a malicious user, potentially years of emails can be exposed."
By limiting the retention, A. noted, only the most recent exchanges would be accessible, as older threads would be deleted. And by limiting attachment sizes, you can prevent wholesale disclosure of privileged corporate data, A. said.
"If a malicious user tried to email a large archive file, perhaps over 10 MB in size, any attempt to send the file would fail and alert IT staff."
2. Require authentication to gain access. It's important to make it so that only the people who need access to certain information can access that information. Corporate networks should use ACLs (access control lists) that define which users, protocols, applications and specific devices have access to specific parts of the network, A. said.
"For instance, certain departments would only have access to specific file servers, printers or databases. This limits the amount of information that a malicious user could access, even if they had access to a device," A. said. "Depending on the company, these ACLs also prevent users from reaching file-sharing websites, personal email or any other activity that would be potentially harmful to a company's proprietary information."
Businesses should also use a VLAN (virtual local area network) to help maintain control, he said.
"Planning and creating a VLAN for BYOD devices will help maintain control," A. said. "By putting all BYOD devices on their own VLAN, it separates them from network resources that management would not want them to access."
3. Use layers in network defense. Since most devices use a wireless connection, it's important to add extra layers of protection to wireless access.
"These devices can be integrated into an enterprise wireless network, but they must be trusted before accessing resources," A. said. "One way to ensure trust is to enforce a tight network access and security policy by having each user authenticate themselves to the domain controller."
4. Enforce the rules. It's important to note that even though employees own their devices, they're still using the company's corporate network and must follow the rules, A. said.
"While network security devices are often already in use before a BYOD policy is implemented, it helps to be sure that BYOD devices are especially scrutinized," he said. "One way to make this happen is by directing all traffic to and from BYOD devices through a firewall as well as an IPS [intrusion prevention system] or IDS [intrusion detection system]. By implementing this approach, certain file types, websites, protocols or anything that the company frowns upon can be blocked from the get-go."
This is especially useful, A. noted, if a BYOD device is infected by malware, as these measures can block malicious programs before they can cause harm.