If your teams are working from home thanks to omicron, the National Cyber Security Centre released a blog post outlining best practices for companies that allow bring your own device.
With the rise of the omicron variant and a renewed recommendation to work from home wherever possible, cyber security is something of a challenge.
A challenge not made easier for those organisations who have embraced BYOD.
The challenges of BYOD
BYOD, Bring Your Own Device, offers opportunities as well as challenges, especially for smaller businesses.
The rise of SaaS and cloud platforms has made bring your own device scenarios more popular than ever before. Companies can allow employees to access secure SaaS systems using their own devices, saving money and allowing staff to use devices they are comfortable with.
But BYOD also carries risk.
BYOD causes fragmentation within the IT estate, which is hard to police and even harder to provide effective security for.
Without being able to enforce blanket compliance and compatibility, you have to work with multiple operating systems and versions of those operating systems.
The risk of data leaks, unintentional malware infection, use of USB ports, removable drives and unsafe software all pose their own risks.
Immature or incomplete BYOD policies
Many companies have accepted BYOD but have yet to put robust policies and procedures in place to manage it.
COVID and remote working has caused enough strain on traditional ways of doing things, exacerbated by new ways of working.
Tips for managing BYOD for small businesses
Here are a few actionable tips to help small businesses embrace BYOD without putting networks or data at risk.
Create a robust BYOD policy
Clear, transparent policies are at the core of security. Staff must be able to know what to do and what not to do in order to work safely.
Your policy should include:
- Minimal security controls for devices that includes usernames, passwords, antivirus, firewall, security software and monitoring
- Enforcing encryption for data in transit and at rest
- Acceptable use that includes internet use, software, downloading, accessing data on company drives, company-owned assets, liability and safe data use
- Data retrieval and storage including guidance on copying data to devices, local storage, removable drives and taking data home
- Remote wipe capability to include installing remote location or wipe apps
- The right to inspect devices at any time if used for work
- Policies for managing lost devices, broken devices, data breach and termination of employment
That’s a practical minimum for a BYOD policy. If you work within regulated industries, you’re going to need a lot more than that.
Use a solid MDM solution
MDM, Mobile Device Management, solutions have matured to the stage where they can easily cope with BYOD.
Some of the more established brands like ManageEngine, IBM MaaS360, Apple, SOTI MobiControl, VMware AirWatch, Checkpoint and others all have usable MDM solutions for businesses of all shapes and sizes.
It will be an investment, but one that can do a lot to protect your data when employees are using their own devices.
Create an application blacklist
While something of a blunt instrument, creating an application blacklist can help reduce the risk of malware and data loss.
Those applications could include file sharing apps, bit torrent apps, social networking apps and games. You could also blacklist app stores if you really needed to.
You’ll need to keep your list up to date and enforced, but it’s an extra layer of protection.
Enforce least privilege across your network
Most businesses already enforce least privilege and if you don’t, you should. Least privilege is the practice of granting users the minimal possible permissions to perform their job efficiently.
This, along with segmentation, containerisation and network controls can minimise the damage bad actors can do on purpose or well-meaning staff can do by accident.
BYOD and the small business
With omicron, home working and trying to survive, most smaller businesses don’t have the time or energy to spend researching BYOD security.
But you have no choice. If you’re going to permit staff to use their own devices and the benefits they bring, you also have to mitigate the risks they present.
Fortunately, there’s a lot of information out there on the subject, not least this detailed advice from our friends at the National Cyber Security Centre.
The good news is many companies have embraced BYOD so you have the opportunity to learn from their combined wisdom. And their mistakes!
As always, our team are proficient in advising you of the best ways to secure your business against any type of cyber risk. So get in touch for help!