Our company has jumped headfirst into the bring your own device (BYOD) trend. At least half our employees -- probably more -- use their own smartphones or tablets or both for work. We've got BYOD rules in place for what they can and can't do while they're on our payroll, but what about when they leave the company? What should we be doing to secure those devices and protect our information?
That's a growing concern for companies that are allowing "insecure" devices to access their sensitive information. The problem is that if you are allowing your employees to download and store information on a device that you don't control, you're much more limited in terms of preventing that information from getting out to the larger world.
Let's take a realistic example. Say you've got employees who just bought brand-new iPhone 5S smartphones. They're ecstatic about the new TouchID, which is equipped with a fingerprint scanner allowing users to unlock the phone with a touch rather than by entering a four-digit personal identification number (PIN). Equipped with those phones, your employees can access their corporate email accounts from wherever they are.
Meanwhile, you're aware that you've got lots of sensitive emails being sent internally. And if any competitors could access that email, they'd see details of the projects you and your employees are working on. With that information, they might beat you to market, or simply steal your idea.
Require the same level of protection for BYOD devices that you use for email.
But luckily, all your information is secured behind the new TouchID system. Right?
Maybe not. Within days after the system's launch, the Chaos Computer Club, a European hacker group, reported that it had bypassed the biometric security system using a few items easily available to any consumer. Translation: If an employee happens to leave his or her phone in a bar, your corporate email could be completely exposed.
Fortunately, many email systems, including Google Apps for Business and Microsoft Exchange, allow you to require certain security measures on all devices attached to your network before those devices can access corporate email. These capabilities allow you to, for instance, require more complex PINs or set phones to lock automatically after one minute of inactivity.
They also allow you remotely wipe out a user's email -- a feature that can be useful when, for instance, you terminate employees -- so that the user doesn't retain any local copies of sensitive information.
Obviously, any BYOD rules or policies should also include procedures for eliminating ex-employees' access to other private company apps as well. Perhaps, like many other organizations, you've created, or are considering creating, an in-house enterprise app store, which lets employees download and use approved apps. Or maybe you're just letting them use a Web app (or, in Apple's case, a Web Clip). In any case, how do you ensure that this information is also secured?
The easiest way is to require the same level of protection for BYOD devices that you use for email. Additionally, you may require your in-house apps to carry a passcode lock that's independent of the device -- although that's likely to become a pain point for your employees. Better yet, you can simply modify your BYOD rules to require employees to be on your local Internet connection to access these applications. If employees need to access this information from outside the local network, you can require them to use a virtual private network (VPN) for temporary access to your intranet, and that VPN can automatically log them out after a certain period of inactivity.
Bottom line: The more you control on the back end, the harder it will be for a potential data thief to recover your sensitive information.
Of course, no set of BYOD rules can cover every possible scenario, and no device is bulletproof. If any device gets lost or stolen, or used after an employee leaves the company, there's always a chance that it can become compromised.
The best way to avoid such problems: Modify your BYOD rules to require every employee to use a personal location-based app or service, such as Find my iPhone/iPad or Lookout Mobile Security, so that you can remotely locate, lock and even wipe such devices. Both services offer a free limited version for individual devices, but you may want to invest in the upgraded versions for your employees' use. Lookout also offers a business version for enterprise-level BYOD management.
Dig Deeper on Topics Archive
Related Q&A from Chris Moyer
Can an application have Python as a container, run SQL queries on an external Microsoft SQL database and publish the results on an Apache web server ... Continue Reading
The wait is over, as you can now trigger Lambda functions with SQS messages. Follow these steps to get up and running with this new capability. Continue Reading
Event-driven computing means no IaaS provisioning and no data center to run. Can I migrate all enterprise apps to be event-driven? Continue Reading