The basics of a BYOD policy

Using personal phones and laptops for work purposes has become the norm for many charity employees over the last year. But doing so poses a significant cyber security risk.

 

Now, with many employees planning to switch to hybrid working – using both the home and the office as a workplace – the cyber security risk is increasing.

 

The risk from employees using their own devices at work is significant: 50% of businesses are breached through employee-owned equipment, according to security company Trend Micro.

 

That’s why every charity should think about drawing up a set of rules governing how staff can use devices for work. This set of rules is known as a bring your own device (BYOD) policy.

 

Some organisations choose to trust employees to stick to BYOD policies. Other organisations prefer to ensure that the rules are enforced using a mobile device management (MDM) system.

 

This type of software (and MDM is also available as a cloud-based service) can be used to configure employees’ devices to ensure that they are secure and prevent devices which are not managed by the MDM from connecting to the organisation’s network.

 

So what should your charity’s BYOD policy include? Here are eight points that it should cover.

 

 

Eight elements of a BYOD policy

 

 

Permitted devices

 

This lists the types of devices and the versions of operating systems that employees are allowed to use. For example, it may specify that employees can use iPhones running iOS 11 or later, or Android devices running Android 10 or later, or laptops running Windows 8 or later.

 

It is also common for organisations to prohibit iOS devices which have been “jailbroken” or Android devices which have been “rooted” because doing so bypasses many of the security functions built into these mobile operating systems.

 

Older operating systems such as Windows 7 which no longer receive security updates should also be prohibited.

 

 

Security software

 

Many organisations require all laptops to be running one or more endpoint security products. Some require anti-malware software on mobile phones. It may also be a requirement that mobile devices of any kind used by employees is enrolled on an MDM system.

 

 

Security configuration

 

A good BYOD policy should specify how staff devices should be configured to provide basic security. For example, most policies require that any device used for work purposes should be configured to lock itself after a few minutes if it is not being used. It must then require a password, PIN, or biometric such as a fingerprint before it can be unlocked.

 

This is an important security measure because 40% of large data breaches are ultimately caused by lost or stolen devices, according to Trend Micro. Most MDMs can check that mobile devices are secured with a strong password or PIN.

 

 

VPN use

 

The internet was never designed to be secure, and that means that there is often a chance that data travelling over it between an employee’s home (or a public internet connection point) and your charity’s office can be intercepted.

 

The way to mitigate this risk is to require employees to install and use remote access VPN software on their devices if they want to connect to the charity network.