According to Juniper Research, the number of employee-owned smartphones and tablets used in business will more than double by 2014, reaching 350 million. More and more companies are choosing to let their employees bring their own devices to the workplace and use them for company business. In many instances, employees can take advantage of the functionality of new smart phones and use them to increase efficiency and productivity. Employees are happy because they get to choose their own devices and may be compensated for some of the cost of the device or monthly payment. In return, significant cost savings can be realized when companies discontinue paying for expensive wireless plans and devices for many of their employees.
This all sounds great, but it’s important to take into account the following ten considerations before implementing a BYOD program:
- Define a BYOD policy that defines the goals and elements of the BYOD program as well as the safeguards against BYOD risks.
- Determine whether you will offer voluntary or required mandatory participation in the program.
- Define the acceptable use for the BYOD device and have employees sign off indicating their understanding.
- Define roles and responsibilities related to employees, administrators, and support.
- Define which devices and activities will be allowed.
- Define which applications are required or allowed.
- Require password control, device locking, and encryption depending on the type of implementation.
- Maintain compliance with regulations. Just because you adopt a BYOD program doesn’t mean that you can ignore requirements such as PCI, HIPAA, etc. Ensure that no matter how BYOD is implemented that your company maintains compliance with applicable laws and regulations.
- Determine if and how much employees will be compensated for purchasing their device and paying for their monthly plans.
- Choose an approach for maintaining the security of your domain. The following approaches are the most common:
- Virtualization: Provide remote access to computing resources so that no data or corporate application processing is stored or conducted on the personal device;
- Walled garden: Contain data or corporate application processing within a secure application on the personal device so that it is segregated from personal data;
- Limited separation: Allow corporate and personal data and/or application processing on the personal device with policies enacted to ensure security controls are still satisfied.
Many companies are choosing virtualization as their security approach and using the device as a thin client to access the corporate network, applications, and data remotely. The main benefit is no data is ever stored on the employee’s device. Processing and data storage take place within a secured domain and if an employee loses their device it can be remotely disabled with no concern that sensitive data remains on the device. As long as there is an encrypted connection between the device and virtual environment and no data is stored on the device, companies can protect themselves from data loss in the event a device is hacked, lost or stolen.
The ten considerations mentioned above are by no means exhaustive of everything that must be considered prior to adopting a BYOD program, but they are a start. Ensure that all risks identified with the adoption of BYOD are either mitigated or accepted and enjoy the flexibility and cost savings that a successful BYOD program can provide.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.