Skip Links

Avoiding basic BYOD blunders

Most companies have figured out how to sidestep BYOD security errors - have you?

By Michael Fitzgerald, CSO
February 14, 2013 03:15 PM ET

Page 3 of 3

Using geo-sensing policies, where devices only have access to applications and data when in a certain zip code or GPS coordinate, can be helpful in some circumstances.

Blunder Number 4: Fail to train employees

"That's a big no-no," says Crook. Employees need to have some guidance on what they should and shouldn't do with their devices on the corporate network. That's obviously true for companies that have compliance requirements, like healthcare and financial firms. But any company can have employees overstep their bounds. Give them education and training, and then ask them to sign a document about complying with your company's policies. Without those things, "you're setting yourself up for lawsuits." Especially if you commit sin number five&.

Blunder Number 5: Assume people won't lose a device when it's their own.

They do, and they will. What kind of attachments might be on email? What if there's a password file on the device? Or authentication for the network?

Blunder Number 6: Expect you can just wipe your hands of things.

There are lots of tools that let you wipe systems remotely, ranging from features in Microsoft Exchange to mobile device management software.

Remote wiping is a powerful tool, but when you zap all their personal data, even employees who leave on good terms could end up suing you.

Mobile device management software is useful, but should you really just wipe the box? Or can you revoke access to specific applications?

Blunder Number 7: Assume the worst and just ban BYOD.

BYOD is manageable. CISOs can mitigate risks. They just need to have a plan and a process that meets the needs of their company.

Finally, learn from those who've gone before you. One of the first companies to allow BYOD is IBM. It started back in 2000 with the Blackberry, and after trials made BYOD a corporate initiative in 2004. It has more than 130,000 employees using their own devices, primarily smart phones and tablets.

IBM has a set of corporate security guidelines its workers must follow. Managers approve BYOD requests. The company then assigns workers an eight-digit alphanumeric password, and it has full remote wipe capabilities if someone loses their device, or has it stolen, though it has 'containerized' its applications so that it does not have to wipe an entire device to protect its data. IBM also limits the applications people can access, usually to things like email and IBM's collaboration suite.

"We don't deliver the keys to the kingdom," says Bill Bodin, IBM's chief technology officer for mobility, who is responsible for the company's BYOD initiative.

By the end of 2012, all workers who want to use their own devices will have to become 'certified.' IBM has developed about 45 minutes of video modules on the principles of secure mobile computing, and workers have to pass a test on the videos to be eligible to use their own devices. It's also developing a "persona" app for its internal app store, so that employees can download IBM-specific apps that match their roles.

Bodin's advice for BYODers?

"I would start small. Qualify a particular device. Ask, 'what are my core capabilities I need to mobilize?' And don't put the company's data at risk."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News