The folks over at the IBM midmarket team have come up with a good slideshow with six tips to better BYOD. First, let's look at the list and then we can dive in and add some more:
- Apply mobile device management software
- Rethink your perimeter strategy
- Classify, classify, classify
- Make security relatable and understandable
- Undertake a functional exercise
- Be prepared for devices that will inevitably get lost
1. Mobile Device Management (MDM) - For organizations of any size, this really should be a no brainer at this point. There are many choices here, from free on up. An important thing to remember, though, is that MDM is to enforce your corporate policies. If you don't have any policies in place, there isn't anything to enforce. Therefore, I would say even before putting an MDM in place, you need to formulate your corporate policies. Many MDM solutions have some policies built in by default. What kind of apps are and are not allowed, should data by encrypted, where can you go on the corporate LAN are all part of the mix. Another thing to note is that often times this is where the biggest resistance from employees can be met. No one likes to cede control over their own devices to the corporate big brother.
2. Rethink your perimeter strategy - Perimeter? Did you say Perimeter? What perimeter? The folks at IBM talk about making sure your security strategy encompasses the different kinds of devices, users and data being accessed and used. I think today's perimeter is so fungible that all you can hope for is to have a hardened interior where you keep the crown jewels. Beyond that, I am a believer in micro-perimeters, with so many of our users working outside the traditional workplace these days. I also think the cloud redefines the parameters of the perimeter.
3. Classify, Classify, Classify - I am in total agreement with the Big Blue team here. It is imperative that you classify not only the kinds of data you have on the network, but the groups of users accessing that data. You also need to classify the kinds of devices they are using on the network as well. The one thing I would add here is that after classifying, you prioritize.
4. Make security relatable and understandable - I call this one "why do I need to know algebra and geometry?" I hear this kind of stuff from my kids all the time. They don't understand the reason why they need to understand things that they think they will never use in their lives. Unfortunately, security is the same way. Too many non-technical folks (and, let's face it, too many technical folks as well) just can't connect the dots on why we have security policies and what the potential harm is. I believe less is more when it comes to security policies. Better to pick your battles with clear objectives and policies that are sensible. People need to understand that when you put something in the front of the machine, what comes out the other end is a direct result.
5. Undertake a functional exercise - War games, if you will. Play out the scenarios of what you have. What would happen if something happened? Have plans in place for likely scenarios. You can't plan for everything, but the more you can plan for, the better off you are.
6. Be prepared for devices that will inevitably get lost - This is part of the planning for likely scenarios. Mobile devices getting lost are part of our lives. There should be a clear-cut process for what to do when, not if, a device is lost. Things like shutting down access from that device, wiping the device of any corporate data, etc.
BYOD is here to stay. You can just try to ignore it or you can be proactive. IBM has some good advice here that can help you get your head around BYOD. Whether you take it or utilize your own strategy, the important thing is do something.