87% of companies are dependent to some extent on their employee’s ability to access mobile business apps from their personal smartphones. (Source: Syntonic)
BYOD: Why is Mobile Device Management Important?
Bring your own device (BYOD) refers to the trend of employees using personal devices to connect to their organizational networks and access work-related systems and potentially sensitive or confidential data.
Personal devices could include smartphones, personal computers, tablets, or USB drives.
In the last couple of months, I’ve seen this particular subject coming up with our clients, and I've taken the opportunity to put a few things together that I could share with you. And hopefully, you can find it useful as a small to mid-sized business.
Smartphone devices, and mobile devices, they're all over the place. Everybody's using it, right? And one of the things that everybody wants to do is be able to check their email on their phone.
Of course, it's convenient, it's easy. I can't tell you how much work and business I do just on my phone.
It's easy and it's right there at your fingertips. And so, this is a very powerful device.
Now, the challenge is that we have a big mix of corporate-owned smartphone devices and then I think in most cases, personal smartphone devices. But now I'm seeing more and more issues of personal devices used to access company data, oftentimes email, and other things.
So, what we've had to look at with our clients is formalizing mobile device policies that can be adopted. Not just from a technical standpoint, but from an HR standpoint and legal standpoint.
Now, these are all elements that you might think would apply to bigger organizations, and you're absolutely right. But more and more because of security, privacy, and industry compliance this is really starting to funnel down to the small and mid-sized businesses as well.
It's going to be necessary for them to have mature policies in place and be able to enforce those policies both from a technical standpoint and an HR standpoint.
Mobile Device Management
Let me share with you some examples of what a mobile device management policy is. It can be pretty straightforward and it doesn't have to be complex.
It depends on what industry or what regulations you have to abide by and compliance.
1. Smartphone device Operating Systems need to be supported by the manufacturer and up to date with the current OS.
You need to be able to have security updates that are applied and that you are able to apply to your smartphone device. Okay. Pretty straightforward. But how many of you think…
“I'm in the middle of something. Ignore. I don't want to do that update right now.“
And what happens is, if it gets too far behind, then you're potentially putting your data and your company information at risk.
Your email for example. Your business email because you might think, oh, it's just that one email, but what we're finding is that there's malware and other things being installed on smartphones that are then tracking not only the user behavior and activities, but it's either extracting or it is getting information, potentially compromised passwords, compromised email accounts.
And those bad actors, they get a little foothold or even a little finger in there and they'll just start working their way into corporate networks or small business networks.
So, really we've got to look at those smart devices as a potential vector or endpoint threat vector where bad actors can get into or get in from.
2. Smartphone device needs to be encrypted.
Most devices are encrypted, at least the smartphones, but again, it's got to be forced and it's got to be in the policy.
3. Require the Passcode or PIN must be enabled and configured on the device.
Well, yeah, it's kind of a PIN. Now they have fingerprints which makes it a lot easier, but they're still a lot of people who do not have PINs on their phones.
Well, that's another technical requirement that as a business owner you don't want any random person to be able to, if they lose the phone, I don't know, but you don't want them going through a company email.
What happens if there's privileged information or protected information in that email? And that's not a liability as a business owner that you want.
4. The device has to be able to lock itself.
If it's idle for so long, it has to be able to lock itself, and easy enough, okay? After five minutes, goes to sleep, and locks. I think that's pretty common nowadays.
5. If you lose your phone or it's stolen, you need to report that.
Whomever the IT department or person is, you need to let them know.
Ideally, if you have mobile device management enabled on these phones as part of your policy, you can then remote-wipe the data, the company data that's on that phone.
Again, protecting your interests, your liability, your business information, and potentially your patient or client information as well.
6. Devices can't be “jail-broken” or “rooted”.
It just opens up too many potential possibilities for problems, breaches, privacy, security compliance, and more. I know there are folks out there that love to jailbreak and do those other things on phones. That's fine. Let them. They just can't access your company data or email from their personal phone then. That's got to be defined upfront.
7. Personal devices must never be plugged into any company equipment even to charge the device.
You don't know what they're doing with it or what they've downloaded or what they've got going on. You plug that right into a corporate device, and it bypasses any security, firewalls, safeguards, and everything that you have on your network. You don't want that.
Don't let users plug personal devices into company computers.
8. Personal devices cannot be used as a hotspot for company equipment.
Now, the other thing is most of these personal smartphones have hotspots or they can act as a hotspot, right?
So you can tether it. And what if I'm a user... I doubt most of them are being malicious, but it is quite possible that if they can't do something and they're trying to bypass some security or firewall settings and you allow them to plug in their phones, they can easily use their hotspot on their phone and then get to whatever they want on the internet.
So again, negating bypassing any security measures that you've probably spent thousands of dollars on to protect your network.
9. Devices are only authorized to contain data within the Microsoft 365 Applications.
Now, if you want to get fancy and go into more granular specifics on tight controls around your corporate data, I'll give you an example.
We had a user call in that was using their own personal phone BYOD for business and work. And that's fine. That's part of the policy.
But what was concerning is that they needed help because they had so much company data on their personal phone that they needed help getting it off. Now that is concerning to me because one, it's data in his isolated phone. It's not managed, not controlled, and nor is it backed up. And if it's really that critical and they needed to get it off, maybe there's a better avenue for it to be managed so that it's not on an island by itself.
So one of the things that you can do if you want to get more high level for managing devices and what data's on their personal phones or corporate phones, is you can control whether or not they can copy and paste or do screenshots of company data.
You have capacity capabilities through the Microsoft 365 Azure suite, Microsoft Intune specifically, and other services where you can control some of these parameters on what users can do. The copy and paste control is a good one.
If they really need access to company data on their smartphone allow them to access it within a container. And that container very easily could be the Microsoft SharePoint app or the Microsoft OneDrive app on their phone. That way they can work and be efficient and have access to everything they need, but at the same time your company has some visibility controls in place so that they can protect their intellectual property, their privacy, information, and security, and all of the above with that information.
So at the same time, you're enabling the user to be able to do their work, you're also protecting the liability and risk of the business.
10. If they ever go out of compliance, then they immediately lose access to all those privileges and capabilities.
And the system can manage that automatically.
So you're not having to monitor that manually on a regular basis. The system knows when it's out of compliance and immediately blocks access.
11. Users cannot export contacts to personal devices.
You want to protect all you have, not just sales, but if you have a client user list or a client list, you don't want that information just getting out there or for anybody to be able to easily extract it and copy it over. You have the ability to block that function.
Image Source: Help Net Security
Termination Policy for BYOD
Okay, now to the stickier part of the equation, and that is what happens when you terminate an employee, they quit or they lose their phone and there's company data on that phone?
How do you handle that?
How do you manage that?
Now there are capabilities. If you've set up mobile device management using a variety of different solutions, you can do a remote wipe. Ideally most cases, just the company data. But there are occasions and there are times where there's an issue and that doesn't work.
So then can you remote-wipe the whole phone because sometimes that is a necessary step? It's not just wiping company data but wiping the whole phone. So, factory reset, all the data's gone.
Can you do that? And have you talked to your employees about that possibility in the event that something does happen?
They might think, oh, that's not really going to be a big deal. I doubt that will ever happen. Let me tell you, that is one of those things that will happen. And when it does, you don't want to be caught off guard because then it's a big deal.
So it's good to figure it out now and think about what your company policy is going to be and what you want it to be and what's acceptable and then communicate that with your users and employees right away. And if they want that privilege to be able to access their email or you need them to have access to their email or other company data, then communicate, put this out there and make sure that they understand the parameters around that access.
You could also provide company phones, corporate phones, and things for business, but I've tried that before. I wanted to control and protect the data.
Well, how many of the employees ever wanted to do that? About zero because nobody wants to carry around two phones. And it just becomes a hassle.
In that particular case, I feel like it's very reasonable and most users are really understanding because you put in the documentation, you put it in the agreement or policy, that says,
"Hey look, we're going to make our best efforts to in the event that we have to, we're going to remote-wipe just the company data. But if we can't, we do reserve the right to wipe the whole phone."
And the users typically say, "No big deal."
But you do want to say, "Hey, look, make sure you back up your personal devices, make sure you backup your phones and do it on a regular basis." And nowadays the technology is there. I mean, you just do the Apple backups, I do Amazon backups for my photos on my phone.
There are a lot of different ways to back up your mobile device. And I would encourage them to do that as part of the policy or policy conversation.
In Conclusion; BYOD and Mobile Device Management
So anyway, just a few notes about mobile device management. And when I say it's coming down and trickling down to the small businesses, I'm seeing it. Any business that accesses email on their phones should have a mobile device policy in place. Whether you have three users or five, 20, or 50+, you need to have a mobile device policy in place.
It clears the air, there's no gray area and everybody understands what's expected and what will happen if something occurs. And it enables you to protect your business, the company data, the email, the information, and client or patient information, whatever you have on there.
Interested in learning more about Mobile Device Management for your business? Complete this short form.
Teknologize is a SOC 2 certified, Professional Technology Services company with clients throughout the Pacific Northwest. We have offices located in:
Tri-Cities, Washington 509.396.6640
Yakima, Washington 509.396.6640
Bend, Oregon 541.848.6072
Questions about your IT or Cybersecurity? Give us a call today!