The age of BYOD isn’t near – it’s here. In 2013, 80 percent of employees said they use personal technology for business (Ovum) and 53 percent of organizations said they officially condone BYOD (Microsoft TechNet). In fact, nearly 80 percent of companies have implemented a virtual desktop infrastructure (Trend Micro).
But only about half of companies with a BYOD program require that devices either be pre-approved or have pre-approved security software installed (CRN). This tells us that security leaders still aren’t doing their due diligence to address employee mobile device security – a necessary process in the supply chain.
While mobility is important, security is equally important – especially in the supply chain where information can be sensitive and devices can be subject to compliance. The issue of device security can be solved by putting an employee policy in place that governs the use of mobile devices. After all, what affects you business’ security is not the device itself, but who is using it and what they’re allowed to do with it.
Here are few things to consider when putting together your mobile device policy:
1. What is your level of risk?
In order to put a mobile device policy in place, you must consider the risks associated with your environment. Issues surrounding mobile devices in the supply chain include privacy governance, data protection, the “right to be forgotten,” employee monitoring, breach investigation, and data ownership and recovery.
To create your risk profile, consider all of the possible situations that could result from poor management of the above issues. For example, what could happen if your data were to be tampered with or fall into the wrong hands?
Policies differ from business to business depending on the level of compliance that is required by your business. A concrete risk profile can provide a foundation for your mobile security policy – and a solid reason to say “no” to certain requests.
2. Which mobile devices will be supported?
It’s important to set boundaries and clearly define what’s allowed and what’s not. Too many organizations make the mistake of trying to accommodate any kind of personal device and platform that workers desire to use. This makes the task of supporting them all but impossible for an IT security team. With a wide range of mobile devices, a policy is likely to be spread to accommodate all of them – and therefore, less effective.
There has to be some sort of standardization. Make sure your employees know that you are not trying to limit their device options, but simply trying to set some sort of framework for your mobile device policy. An enterprise mobility consultant can help you select the ideal devices for your business needs.
3. How will information be accessed?
How will you or your employees access business reports or inventory information? Will it be stored and accessed on the device? Or will it be stored elsewhere and accessed remotely? In other words, will your devices simply be viewing platforms, or will employees be able to directly handle data on them?
This will depend on your risk profile, or the liabilities are associated with viewing and handling your data. Keep in mind that, depending on your industry and business type, compliance and reporting mandates can come into play in this decision. If your devices are subject to compliance, you should consider limiting the ability to handle data on the actual device.
4. Who will be able to access it?
Of course, business owners don’t want to believe that any of their employees could pose a high risk to the organization, but some might simply be more qualified to handle sensitive information than others. In that case, consider a role-based deployment policy in which you create risk profiles for each employee role and allow certain employees to access certain levels of information from their device.
Virtualization is a consideration in many compliance-heavy industries – it allows employees to work from a remote desktop where applications can be run, but information is not left on the device.
What will your mobile device policy include? As mentioned, a consultant can help your business select devices and set up a policy that will provide you with both optimal mobility and security.