Today’s workforce has been mobilized – literally. More and more users are accessing the company network through smart phones, tablets and laptops, and in many cases those devices have completely replaced the traditional desktop PC. Whether personally owned (BYOD), stipend-funded or company-issued, all those devices are constantly moving around to different physical locations and logging onto different networks. That presents a management challenge for IT departments, but you don’t have to throw up your hands and admit defeat; there are steps you can take to regain control.
The first step is to develop policies governing the use of mobile devices on the network. These policies should take into account whether the devices are purchased and owned fully by employees at their discretion, bought with a stipend provided by the company specifically for such purchase, or bought and issued to employees by the company.
From the IT standpoint, it might not seem to make much difference. Regardless of ownership, you want the same degree of security and control to protect the network from breaches. From the device user’s standpoint, however, there will be more acceptance of restrictions on company-purchased (or supplemented) devices than on those they paid for themselves.
Allowing BYOD (Bring Your Own Device) doesn’t mean you have to allow any and every device on the market to connect to your network. Your policy can list specific mobile operating systems (and versions) and/or specific device models that are acceptable. Limiting the number can make it easier to support and control the use of the devices on your network. However, this means policies will need to be updated often, as new devices and operating system updates are released and become popular.
Your policies should address whether and how employees are permitted to store company-owned data (company email, documents, spreadsheets and other files) on their mobile devices. Best security practice would be to require strong encryption of any such data. Be specific. Define approved encryption methods. Full disk encryption can be required for laptops. Phones should be protected by a PIN or passphrase, and data stored on smart phones should be encrypted, whether stored in the internal memory or on a microSD card. You should set complexity standards for passphrases.
Policies also need to address theft or loss of devices used for accessing company networks. Employees should be required to report the loss immediately, and devices should be required to have remote wipe technology enabled. The policy that users sign should explicitly state that by signing, they agree to have the device wiped if it is lost or stolen or if they leave the company.
Don’t forget to include mobile storage devices as well as mobile computing devices in your policies. External USB drives, flash card readers, portable CD and DVD drives can all be used to store company-owned information and should be subject to the same restrictions (approval required, encryption required).
Once policies are in place, you need a way to enforce them. That logically begins with a means to identify and keep a record of all of the mobile devices being used by members of your workforce. You might think of an “inventory” as including only the property of the company, but in order to properly manage the devices in your workforce, you need to know what, where and with whom they are. Because it’s not possible, in a medium-to-large organization, to physically inventory all the devices, you need software to identify MAC addresses, device types, user names, operating system information, and even – with current location technologies built into most mobile devices – the physical whereabouts of the devices. Some Mobile Device Management (MDM) systems are able to detect when devices go missing, based on automatic check-in messages, and they can log user activity. The more automated the enrollment process is, the easier it makes things for both IT and the end users.
MDM software can also enforce your policies regarding approved OS/device types, by denying access to devices that don’t meet the criteria. Another option, particularly useful for contractors and other temporary personnel who need some access, is to redirect those unapproved or unenrolled devices to a guest network or otherwise restrict them so they don’t have access to any of the resources on the LAN but are able to access the Internet.
Another solution for devices that don’t meet your standards (such as those that don’t use/support encryption), if their users need to access corporate resources, would be to install a virtual desktop application with which they could connect to a secure system in order to access the LAN.
Finally, in developing and implementing your mobile policies, be sure to check into any legal ramifications. Privacy laws in some countries may restrict employers’ right to access employees’ personal data on their devices.
The mobile computing trend that has taken the business world by storm makes it much more complicated for IT departments to maintain control, but the convenience it offers for users and the potential increase in productivity for the company make it worth the effort.
Like our posts? Subscribe to our RSS feed now and be the first to get them!