We examine what a robust bring your own device policy should include
Using personal phones and laptops for work purposes has become the norm for many charity employees over the last year. But doing so poses a significant cyber security risk.
Now, with many employees planning to switch to hybrid working – using both the home and the office as a workplace – the cyber security risk is increasing.
The risk from employees using their own devices at work is significant: 50% of businesses are breached through employee-owned equipment, according to security company Trend Micro.
That’s why every charity should think about drawing up a set of rules governing how staff can use devices for work. This set of rules is known as a bring your own device (BYOD) policy.
Some organisations choose to trust employees to stick to BYOD policies. Other organisations prefer to ensure that the rules are enforced using a mobile device management (MDM) system.
This type of software (and MDM is also available as a cloud-based service) can be used to configure employees’ devices to ensure that they are secure and prevent devices which are not managed by the MDM from connecting to the organisation’s network.
So what should your charity’s BYOD policy include? Here are eight points that it should cover.
This lists the types of devices and the versions of operating systems that employees are allowed to use. For example, it may specify that employees can use iPhones running iOS 11 or later, or Android devices running Android 10 or later, or laptops running Windows 8 or later.
It is also common for organisations to prohibit iOS devices which have been “jailbroken” or Android devices which have been “rooted” because doing so bypasses many of the security functions built into these mobile operating systems.
Older operating systems such as Windows 7 which no longer receive security updates should also be prohibited.
Many organisations require all laptops to be running one or more endpoint security products. Some require anti-malware software on mobile phones. It may also be a requirement that mobile devices of any kind used by employees is enrolled on an MDM system.
A good BYOD policy should specify how staff devices should be configured to provide basic security. For example, most policies require that any device used for work purposes should be configured to lock itself after a few minutes if it is not being used. It must then require a password, PIN, or biometric such as a fingerprint before it can be unlocked.
This is an important security measure because 40% of large data breaches are ultimately caused by lost or stolen devices, according to Trend Micro. Most MDMs can check that mobile devices are secured with a strong password or PIN.
The internet was never designed to be secure, and that means that there is often a chance that data travelling over it between an employee’s home (or a public internet connection point) and your charity’s office can be intercepted.
The way to mitigate this risk is to require employees to install and use remote access VPN software on their devices if they want to connect to the charity network.
The most secure way to deal with employee-owned devices is to have a ‘whitelist’ of permitted applications that can be installed and run. But this approach may not be practical because staff may be unwilling to agree only to run approved work applications on their own devices.
A better approach may be to prohibit certain specific applications or types of applications (such as peer-to-peer filesharing applications which pose a high risk of introducing malware) if employees want to use their devices for work purposes.
Security patches and updates to applications and operating systems are often designed to close known security vulnerabilities which hackers can exploit to take over devices and networks. So a BYOD policy should require staff to update their applications and install operating system updates as soon as possible, and in any case within 24 hours of their release.
If employees choose to use their own devices for work purposes, then there is a risk to charity data if a device gets lost or stolen. So a BYOD policy should require employees to report any devices that get lost or stolen as soon as the loss is discovered.
Employees should also agree that if a missing device is not found in a short space of time (for example, 24 hours) then its contents will be deleted remotely (using remote wipe software such as Find My Device (for Android devices) or Find My (for Apple devices).
It is important that charity staff acknowledge in a BYOD policy that charity data stored on their devices belongs to the charity and not to the staff member. That means that if they stop working for the charity, they agree that any charity data must be deleted from it.