Just This Once: The Slippery Slope of BYOD
It starts with a seemingly harmless download, and ends in a full-blown IT disaster. We’re talking of course about the much-discussed BYOD policy: a favorite among employees and a potential nightmare for IT administrators and MSPs.
November 4, 2013
By Michael Brown 1
It starts with a seemingly harmless download, and ends in a full-blown IT disaster. We’re talking of course about the much-discussed BYOD policy: a favorite among employees and a potential nightmare for IT administrators and MSPs.
In theory, the bring-your-own-device policy is perfectly legit in terms of security and compliance. If the technology includes reasonable safeguards and boundaries, the risk of lost or stolen data is significantly reduced. And if the technology is easy-to-use, employees would never have the need to use anything else. In reality, no matter how advanced the technology is or what policies are put in place, employees still somehow find a way to send, store and share files via insecure means.
Here’s how it usually starts:
Even the most basic BYOD policies likely restrict the use of third-party tools with regards to sensitive files: healthcare records, customer transaction data, etc. The employee knows these areas are out of bounds. But what about less sensitive documents like meeting notes, presentations, spreadsheets and reports? “I’ll just save this one file, just this once.”
Once this happens, the floodgates have been opened. Pretty soon, entire teams are saving and sending documents with unauthorized tools, and downloading all sorts of apps that could compromise company data. Eventually, a sensitive file will find its way into one of these tools – and that’s when you have a problem. A slippery slope, indeed.
So what’s to be done? Is a zero-tolerance policy the answer? How can MSPs implement a BYOD policy that keeps company data safe while giving employees the flexibility they need? While every company (and industry) will have different requirements, there are some general tips that will help you and your clients avoid the slippery slope of BYOD:
Put it in writing: This seems like such a basic step, but you would be surprised how many companies leverage BYOD without any written guidelines. How can you expect employees to follow the rules of a policy that doesn’t formally exist? Unlike other policies, the BYOD policy will need to be somewhat of a living document, as you’ll want to consider having a list of banned apps and use-cases, which leads us to our next tip:
Be specific: If they exist, many BYOD policies are so vague that they confuse the end-users, who still aren’t sure what’s allowed and what isn’t. Many BYOD policies now list certain apps and tools that are off limits. One company, for instance, explicitly restricted Angry Birds, so there is precedence.
Be clear: Yes, there will be some “legalese” in the document, but a BYOD device policy doesn’t have to read like a standard contract. For MSPs, it’s important to let employees know what’s required of them, but it’s more important that they know why the policy exists in the first place. Use language that is straightforward and easy to understand – don’t give employees any excuses.
The BYOD trend is only going to grow in terms of popularity. Unfortunately, so too will the disasters that come about as a result of it. How do you deal with the slippery slope of BYOD? Be sure to let us know in the comments section.
You May Also Like