BYOD Best Practices: Mobile is the Mother of Invention
Opting for BYOD or BYOP (Bring Your Own Phone) is often not a conscious choice but occurs out of necessity because life happens; we need to run and grab lunch or, our kids are sick, and we need to answer emails from the pediatrician’s office. Today’s workforce has moved mobility enablement from ‘a nice to have feature’ to ‘a need to have feature.’ Simply put, once we realized our cell phone could help us balance work and life, we jumped on board, but we forgot to ask the most basic questions such as: ‘Does my company know I’m using my phone for work? What happens if my phone is lost or stolen, will company data be at risk?’ Follow BYOD best practices to ensure your habits aren’t risky.
BYOD Best Practices Using SkyTerra’s WINDOW Method
It’s no secret that both companies and the workforce benefit from BYOD. Organizations save money by eliminating the need for continuously purchasing devices, end users are more productive, and people genuinely prefer using their own phones with which they are most comfortable. However, if you use your own device without following best practices, the chances for a breach increase and there are many reasons you do NOT want to be the root cause for such an occurrence. The fallout from a breach can gravely impact a company’s reputation, financial burden, and even potentially force an organization to shut its doors. According to a 2018 study conducted by the Ponemon Institute, U.S. companies experienced the highest average cost of a breach at $7.91 million!
While even the most careful person can still fall victim to villainous hackers, following best practices with SkyTerra Technologies BYOD WINDOW method will help you protect yourself and your company:
W: Watch your Wi-Fi
I: Implement security controls
N: Note your policies
D: Defend and update devices
O: Offer to be an advocate
W: Welcome ongoing training
BYOD Best Practices Rule #1
W: Watch your Wi-Fi
Guilty as charged.
Admit it; you’ve accessed public Wi-Fi without much thought, right? Don’t worry, we’re all guilty of the same crime. There are two types of public Wi-Fi networks: secured and unsecured. An unsecured network can be connected within close range without the need for a password or login information. A secured network typically requires you to agree to legal terms and provide a password before giving you access to the network. Connect to secured Wi-Fi whenever possible, but if you have to connect to an unsecured network, make sure it requires login credentials.
Order up for a hacker and a caramel latté.
How can a hacker use Wi-Fi to gain access to your device and conduct damage? A hacker can carry a router with a logical naming connection to where you are or perhaps just slightly nuanced that if you’re not paying very close attention, can easily appear to be a trusted public Wi-Fi network.
For example, let’s say you stop at a coffee shop called The Grind to grab a delicious caramel latté and work for a while. When you pull up the Wi-Fi connections you see: Grind Coffee Shop and The Grind Coffee Shop. It could be either, so you simply pick one and jump right on to the Wi-Fi. Mistake!
Unbeknownst to you, the associated router you chose is sitting in someone’s non-descript backpack in the coffee shop. Remembering your Mom’s birthday is this weekend, you jump on Amazon to order a birthday gift by quickly punching in your password and credit card information, including the security code. Do you use the same password for your phone as you do to access work files? Our malicious hacker knows that odds are you do. They log in to your network, key in the same password you used on Amazon, and voila… they have access to data they can hold for ransom and you haven’t even finished your caramel latté!
Watch your Wi-Fi
Do’s and Don’ts
- Pay attention and note the EXACT Wi-Fi name provided by the facility you’re visiting and confirm that EXACT Wi-Fi name is the network you’re connecting to with your phone.
- Ensure your connection requires login credentials.
- Have different passwords for personal and professional use. Ideally, use a unique password for each site requiring login information.
- Turn off automatic connectivity.
- Keep tabs on your devices’ Bluetooth connectivity. Keeping it open in public spaces you’re unfamiliar with (as opposed to home or office) means it can potentially provide unwanted access to people.
- Key in passwords when using public Wi-Fi where the characters are visible. Instead, see if your company can deploy two-factor authentication.
- Key in credit card numbers or access financially sensitive information when using public Wi-Fi.
- Ever try orange-flavored coffee – it’s gross. Trust us on this one.
BYOD Best Practices Rule#2
I: Implement Security Controls
I’m the monster in the shadows?!
Many of us are using personal devices to move and work upon company data, as well as implement and leverage applications without our employer’s knowledge or approval. While it may be true that the application we downloaded helps us do our job better, and the files we copied to our Dropbox account enables us to wrap up a project from home tonight, we may have inadvertently made our organization vulnerable. This is called Shadow IT and it places both us and our company in the line of fire for serious cybersecurity risks.
Generally-speaking IT makes technology decisions based upon the best possible combination of security and convenience. If you’re feeling that you could be more efficient with different technology, address this with your IT department or technology decision makers, they can work with you to find the right solutions. It’s especially important not to move company data out of its protected environment overseen by IT, and into a public environment; this is data leakage and it can cause accidental disclosure of information. Accidental disclosures can lead to large fines for companies, this is especially true in the health and financial industries.
I “pinky swear” not to do it again.
The above realization should not result in your completely avoiding accessing company data for working remotely or leveraging new applications. Chances are you’re an industrious and efficient person wanting to keep up-to-date with your role and the latest solutions. So, to swear off ever wanting to work remotely or with new applications would be a mistake. Committing to safety is the key to enable working remotely and leveraging new tools. It includes a combination of your company having the right BYOD security and management solutions in place and a controlled vetting process for you to be able to submit to IT, new applications for review. Remember, while it may be easier and faster to simply download apps and work around IT, you are placing yourself and your company in REAL DANGER.
Implement Security Controls
Do’s and Don’ts
- Talk with your IT department and/or management about implementing a controlled vetting process for the consideration of new applications.
- Suggest the implementation of an app management approach such as the one offered by Microsoft Intune. It covers areas such as assigning mobile apps to the workforce, configuring those apps with standard settings and removing company data from mobile apps.
- Brush your teeth 2 times a day.
- Download applications at will. Talk with your IT department and have a clear understanding about what is and isn’t acceptable.
- Copy and paste company data into your own personal storage.
BYOD Best Practices Rule #3
N: Note your Policy
Since this article has us all riding the honesty train, we must ask: Have you ever clicked the ‘Agree to Terms’ button without REALLY reading through all the terms? Don’t worry you don’t have to answer that; we already know the answer. If your employer is aware that you’re using your phone for work, did you receive and agree to a BYOD policy? If yes, and you don’t recall or have a copy of the agreement, it’s a good idea to go back and review what you have consented to.
Everyone likes bubbles.
A BYOD policy should clearly spell out in layman’s terms both your and your company’s responsibilities. And, it should identify what usage activities are acceptable, expected security behaviors, and the level of access you each have to the other’s information, as well as what you can (and can’t) do to that information. Some company’s BYOD policies include the ability to see EVERYTHING on your phone: personal photos, text messages, emails, apps and more. If you use an iPhone and enable your company to have ‘supervisory privileges,’ they will have unfettered access down to your location and personal preferences.
While the determined level of access is respectably the choice of your employer, there exists mobile device management (MDM) solutions designed specifically to implement a boundary or bubble of separation between your information and that of your company’s. This bubble helps keep everyone’s mind at ease and prevents a total wiping of the phone in the event you leave the organization. If you left your organization, only the information contained within what belongs to the company would be wiped, leaving you with your personal photos, texts, etc., untouched.
I’m not sure my company has a BYOD policy.
If you’re reading this and don’t recall signing a policy or are confident your organization doesn’t have one–despite people using their own devices for work–encourage your company to develop a policy as soon as possible to protect itself and the staff. They will need to seek out an attorney for formal policy creation but to get started with a reference, here is an example of a BYOD policy from Lab Tech Software.
Note your Policy
Do’s and Don’ts
- Have a very clear understanding of what you have consented to if you signed a BYOD agreement.
- Maintain a copy of your BYOD policy.
- Follow the policy and revisit it every few months.
- Encourage your organization to develop a BYOD policy if one does not already exist.
- Suggest a Mobile Device Management solution that leverages a boundary structure.
- Go rogue and stray from what you have agreed to with your company’s policy, it isn’t worth the risk!
- Assume responsibility for the creation of policy, it is a legal document and should be handled by legal counsel.
- Go in against a Sicilian when death is on the line.
BYOD Best Practices Rule #4
D: Defend and Update your Devices
Small clutch bags don’t hold much.
True story; during a recent weekend outing, a friend didn’t want to bring her large purse and opted for a teeny tiny clutch purse instead–one that couldn’t accommodate her phone–forcing her to hand-carry it for the night. At some point in the evening, she put the phone down and a stranger picked it up and left. You would be surprised how often devices are lost or stolen and when that happens, it’s a moment of sheer panic. ‘What’s on the phone? What can they do with the contents on it? Will there be consequences at work?’
Flip phones need not apply.
Older phone models and legacy (code word for ‘old’) operating systems are often targets for malware because the hardware and software are no longer supported with security patches. Standard BYOD policies will usually site what devices and OS are acceptable. If you don’t have a policy, talk with IT or management about the potential malware risks of older devices and operating systems.
Skip. Skip. Skippity-Skip.
It’s annoying having to run updates on our phones; we skip and delay them frequently. But this is a big no-no. Like the life cycle of applications, when weaknesses are identified, manufacturers and developers send out security patches to protect your phone and data. Skipping them only places both your and your company’s info at risk.
I’ve upgraded my phone, what should I do with the old one?
You have a couple of options: 1. bring it to IT to be wiped; 2. (most likely to happen) toss it in a drawer and if your organization has a solution like Microsoft Intune or something similar, it can be set up so that if your phone hasn’t ‘checked-in’ within a set amount of time, it completely wipes it.
Defend and Update Your Devices
Do’s and Don’ts
- Encourage your organization to deploy Microsoft InTune or similar MDM solution. This gives you multifactor authentication, making it next to impossible for a stranger to break into your phone. Additionally, your phone could be entirely wiped if it were to fall into the wrong hands.
- Run updates as soon as possible.
- Use unsupported or legacy devices to access company information.
- Ignore patches.
- Use a teeny tiny purse that can’t hold a cell phone.
BYOD Best Practices Rule #5
O: Offer to be an Advocate
Hero capes available, one size fits all.
Your technology’s security is often regarded as an ‘IT thing’ but when you stop and reflect upon how central a role our devices play in both life and work; security management and privacy protection is a team effort. Each of us must be touting BYOD best practices at work and at home. Strengthening the behaviors of the people we interact with means helping everyone mitigate the potential for a successful malicious attack.
All great superheroes have sidekick support.
If your IT or executive team is too busy or overwhelmed managing the company’s day-to-day operations, help them by seeking out support from an experienced security technology advisor like SkyTerra Technologies or other reputable company. You do not need a computer science degree or have been bitten by a radioactive spider to become a champion for fortifying your organization’s security and instituting a formal BYOD program!
Offer to be an Advocate
Do’s and Don’ts
- Recognize following BYOD practices is not just an ‘IT thing’ but a team effort.
- Suggest outside help from a security technology advisor if your organization is overwhelmed or doesn’t know where to start implementing a formal BYOD program.
- Ignore the opportunity to inform your friends and family regarding BYOD best practices–education for everyone is key!
- Purchase a security solution without talking to industry peers.
- Forget to turn off the lights when you leave the room.
BYOD Best Practices Rule #6
W: Welcome Continuous Training
You know what I mean?
Did you know that 95 percent of cybersecurity breaches are due to human error? Considering the numerous technology applications organizations leverage, people continue to be the weakest point in a company. And a breach is costly: A 2018 study by the Ponemon Institute revealed that for incidents with fewer than 10,000 compromised records, the cost was $2.2 million.
The reality is, hackers are clever– and very sneaky. Did you know that a hacker can lay in waiting for months, studying the nuances of how you write your emails, only to turn around and send malicious phishing emails using the language you frequently use? For example, say you tend to use the phrase: “You know what I mean?” The hacker could send an email using your email address crafted like the following: “Hey friend, I can’t remember my password for this file. I have so many to remember that I forget it from time to time… you know what I mean? Could you shoot me over what that was? Thanks for the help!” Your friend thinks it’s you, replies with his password, and the hacker gains valid login credentials. These credentials provide the hacker with the access keys needed to exploit the organization.
I’ll take one pound of cure, please.
One of the best ways we can help minimize human error and avoid falling victim to the ever-evolving attack methods such as phishing, vishing, smishing, whaling and more, is welcoming and committing to an ongoing cybersecurity education program incorporating everyone within your company. The old adage ‘an ounce of prevention is worth a pound of cure’ is true. Making the case for training and keeping security top of mind goes a long way to avoiding a potentially damaging incident! Typically, the most effective programs consist of more than annual one-day training. (Let’s be honest, how much can we possibly absorb in one sitting?) It’s easier for us to learn when training and tests are spaced out, interactive and fun. Some programs offer self-paced training with videos, others can be live seminars.
The choice is your company’s, but we have noticed that for some organizations, having an outside advisor manage and deploy the training and tests is better received. For example, SkyTerra’s managed cybersecurity end-user services includes an extensive library of training resources developed by one of the world’s cybersecurity experts, Kevin Mitnick of KnowBe4. For your IT department, it’s a lot of material to decipher, organize, deploy, and monitor. There are many resources out there so we advise being realistic about how much your team can handle internally! Even the best programs still need someone to oversee them and if they don’t get implemented, you and the people in your company aren’t trained– placing you right back in the danger zone.
Welcome Continuous Training
Do’s and Don’ts
- Make the case for ongoing cyber security end user training.
- Suggest outside help from an advisor if you don’t think your organization has the resources.
- Try to stay up-to-date on the latest hacking schemes– you don’t want to fall victim!
- Ever click an unfamiliar link in an email.
- Ever include user name and password credentials in an unsecured email.
- Overuse the term: ‘You know what I mean?’ … you know what I mean?
BYOD Best Practices Takeaway: Use SkyTerra’s WINDOW Method to Keep Security Simple
Using our own devices for work and personal life is convenient but many of us take security for granted and consider it an IT responsibility, when in truth it’s our responsibility, too. We must acknowledge that the data and communications we work with need fortifying and it starts with best practices. When in doubt, use the WINDOW method to protect yourself and the people you work with. If you need guidance, we’re happy to answer any questions you may have; connect with us at firstname.lastname@example.org or give us a shout.