BYOD Security: Getting Employees to Buy In

By Sue Marquette Poremba

Do you have a Bring Your Own Device (BYOD) security policy in place for your company? If you do, your employees may not be too happy about it: A recent report by technology research firm Gartner found that one-fifth of BYOD policies fail because employees find the rules too restrictive and don’t bother to follow them.

BYOD gives the workforce flexibility without the extra cost of supplying employees with gadgets. But workers are generally uninformed about BYOD security policies, or simply don’t care about them. And when company leaders try to enact policies that seem too strict, employees just tune out.

Another study, by security solutions provider Absolute Software, found that nearly a quarter of those surveyed don’t think they should be held to any consequences if their personal device used for work is lost or stolen. Under this line of thought, the security of corporate data isn’t the worker’s responsibility.

The study also found that employees are unaware of the value of business data stored on their devices. This attitude may explain why, if a security incident with an employee’s own phone, tablet or other device does occur, many employees do nothing new to improve their security behavior.

Toronto-based startup Better Dwelling, an on-demand maid-booking service, has its maids use their smartphones to keep in touch with the main office. The company needs to engage the employees in smart BYOD policies because a breach could cripple the entire business, said Better Dwelling employee Paige Ring. The company has policies in place to secure the network, such as encryption and password protection, but those security functions are pointless if no one understands why they are there.

“You can’t force your employees to do anything with their own hardware,” Ring said.

If employees aren’t following BYOD security policies, it puts company information and the company network at risk, Ring said. But first employees need to buy into those policies.

“BYOD is tricky, because once employees know they can use their own devices and applications at work, they don’t see the rationale for any limitations on top of that,” said Cortney Thompson, CTO of cloud hosting and colocation provider Green House Data. “[For example,] if I can use the company cloud storage, why can’t I use Dropbox? Why can’t I play this game over the network?”

The best time to address BYOD issues is at the moment the policies are implemented, Thompson added. Don’t introduce the policies with a generic email outlining the rules. Instead, Thompson recommended introducing BYOD policies at a corporate-wide meeting, stressing the reasons for mobile device management. This also provides an opportunity for an engaged dialogue between employees and leadership about the policies.

After that meeting, continue to hold regular BYOD-related meetings that reinforce the policies or discuss changes. Leadership should approach these policy meetings with an open mind; employees may present concerns that the policies don’t address.

Paul Hill, from IT security consulting firm System Experts, said businesses must take two critical steps in order to engage employees in BYOD security once policies are formally introduced.

“First, companies should require employees participating in BYOD to annually sign a form acknowledging the policies and employee responsibilities, and waiving the company of any liabilities resulting from deleting employee data or applications,” he said.

“Second, companies should require BYOD participants to enroll the authorized devices with the company’s mobile device management system so that security configurations can be automatically configured, including providing the company with the ability to remotely lock and/or wipe the device if it is reported lost or stolen.”

An information-centric approach to managing these risks is essential because devices not issued by the company are too numerous, varied and vulnerable to be effectively managed.

“Keeping the lid on the risks presented by the new BYOD ecosystem will require IT departments to rapidly and effectively deploy business-wide strategies, policies and management technologies,” said Steve Durbin, global vice president of the Information Security Forum. “While safeguarding your organization’s data is of paramount importance, empowering employees to use their own devices safely and flexibly is essential to better workplace productivity, competitiveness, as well as keeping workforce morale and talent retention high.”

BYOD policy options can be crafted to reflect differing factors such as the information type, device ownership and the likelihood of access to more-sensitive information, Durbin added. For example, information and functionality may not be made available through a BYOD device for specific groups/roles, such as commercial systems or a human resources system. Use of certain types of devices and applications can also be restricted to those in specific job duties that require out-of-office network access.

For policy controls to work, organizations must be able to trust their people to do the right thing. This is only realistic if the organization provides communication, training, monitoring and enforcement that make clear what behaviors are expected of employees. Behaviors can be difficult to change, and security awareness is often elusive.

True behavioral change will require not just good company citizenship, but also solutions that provide value for the employee, said Adam Ely, founder and COO of Bluebox Security. If there are too many restrictions, employees will find ways to work around them.

Employers also need to show they respect their employee’ privacy. One way to do that is enable a privacy dashboard that displays exactly what the company is, and isn’t, tracking. You can also give your employee the chance to suspend business use of the device. That option gives employees a greater sense of control over their own devices, Ely said.

Knowing that they have some control and privacy makes it much easier for employees to buy into BYOD security policies.