October 1, 2018
With the rise and rise of BYOD devices, many companies have enjoyed the productivity benefits of a flexible mobile workforce, without the up-front costs of purchasing and managing large quantities of mobiles & tablets.
However, with the big increase in mobile malware, as well as increased compliance with the introduction of GDPR, companies have realised they require a BYOD security policy to effectively govern and police their employee-owned (BYOD – Bring Your Own Device) mobile and tablet devices.
Like many companies, you’ve probably decided you need to create a BYOD policy to maintain perimeter security of your IT infrastructure and prevent data loss, particularly Personally Identifiable Information (PII).
Here are the 9 steps to consider when creating a BYOD security policy.
An effective security policy is essential for securing your mobile environment and should require (but not be limited to):
- Device enrolment to the corporate MDM platform
- Installation of supported security software
- Screen lock password protection
- Secure connection methods (VPN)
- Device firmware to be regularly updated and patched
- Periodic user re-authentication
- Separation between corporate and personal data
- Encryption of corporate data
- Blocking of jailbroken and compromised devices
Device enrolment to the corporate MDM platform
The time, practicalities and cost of managing a wide range of BYOD mobile devices, often not located within the physical building is significant. And with the price of an Enterprise Mobile Device Management (MDM) platform starting around the price of a cup of coffee, per month, it is no surprise why many companies have realised that effective governance of a BYOD policy is only possible with an MDM platform.
With IBM’s leading MaaS360 MDM platform, device enrolment takes minutes ‘Over-the-Air’. Simply send an enrolment text, email, or URL to the device and start managing employee devices to configure user and BYOD security policies.
Installation of supported security software
If not already a component of your chosen MDM platform, you should mandate installation of suitable anti-malware / anti-virus software within your BYOD policy. The MDM platform will also dramatically simplify the deployment and on-going update of any anti-malware solutions across your remote devices.
With IBM’s MaaS360, Mobile Threat Management detects and remediates malware on your enterprise mobile devices, with advanced jailbreak, root and hider detection – with ‘Over-the-Air’ security updates for complete simplicity. Administrators can quickly configure compliance policies based on incoming threats, improving the security of bring your own device (BYOD) and corporate-owned mobiles & tablets.
Screen lock password protection
When setting up a BYOD security policy, probably the most important step will be to enforce a screen lock password protection policy. Mobile devices will unfortunately always get lost or stolen, and without suitable security or password protection, criminals have direct access to your network and business data.
Screen lock security options include pattern, PIN, password, fingerprint, or face recognition. If using a password, you should read the latest password policy guidelines from NIST:
- Use multi-factor authentication, if available
- Use a phrase with multiple words – which you can picture in your head
- Require a minimum of 8 characters
- Check new passwords against a dictionary of known-bad choices
- Protect your most important accounts with a unique passphrase
- No more periodic password change requirements (without a reason)
Within your MDM platform, you can also mandate the following password policy configurations:
- Password type, e.g. numeric, alphanumeric, or complex.
- Minimum password length
- Maximum number of failed attempts
- Auto-lock (in minutes)
- Password expiration timeout (in days)
- Password history count – the number of unique passwords before one can be reused
Secure connection methods (VPN)
When connecting to the corporate network, especially via unsecured public Wi-Fi, you should use a secure VPN connection. Best practice should ensure you use effective encryption technologies, such as IP security (IPSec), Layer 2 Tunnelling Protocol (L2TP)/IPSec, and Secure Sockets Layer (SSL) and Transport Layer Security (TLS), to create a virtual encrypted tunnel between your device and the VPN server.
Alternatively, you could use a cloud-based security stack, such as Zscaler’s Gartner-leading Internet Access platform, which provides policy-based protection (cloud firewall; URL filtering; bandwidth control and more), to provide secure internet access across every device, in any location.
Device firmware to be regularly updated and patched
Security vulnerabilities seem to be in the news every other day. Implementing patch management solutions for your network endpoints is common practice for any IT team. However, it is impossible to mandate, enforce and gain insight into the status of the mobile security patching without an MDM platform.
Moreover, Watson Advisor – IBM’s acclaimed cognitive AI engine – actively monitors all your mobile devices within MaaS360, identifying any required security updates across so you can remotely update all devices – effortlessly.
Periodic user re-authentication
While frequent password re-authentication is generally not advised, it is good practice to enforce a periodic password changes:
- To prevent captured passwords from being used
- Lessen the chance that users will employ the same password for many different sites
- Makes it less likely that staff will share passwords with other users
Separation between corporate and personal data
In simple terms, corporate data, documents, apps and other materials need to be protected and secure, if for example, an employee leaves the organisation, or the device is lost, or stolen. With effective segmentation of data, IT will not need to painfully interfere with a personal mobile device.
Without data segmentation, the option is to back-up the personal device, then manually delete corporate data – or wipe the entire device, if required. This, or course, is not a desired course of action.
Importantly, your BYOD security policy should establish data ownership. Any company data remains the property of the organisation. You should retain the right to wipe devices brought onto the network, though it is advisable to provide guidance to users on backing up personal data.
An effective MDM platform will be able to separate company from personal data in a secure container, with the ability to selectively and remotely wipe just corporate data.
Encryption of corporate data
More and more data is now stored on mobile devices. Without encryption, any data on a compromised device can be accessed, so should therefore enforce encryption to ensure that all mobile devices across the network are meeting established encryption standards and protocols.
Blocking of jailbroken and compromised devices
With a jailbroken device, you can install unauthorised apps and updates, compromising the integrity of the device, and your security. The ability to remotely identify, block and wipe jailbroken devices, allows administrators to effectively police your BYOD security policy.
IBM MaaS360 – the right platform to secure your mobile Enterprise
IBM’s MaaS360 provides Enterprise Mobile Device Management with secure and simple device management – to take control of your iOS, macOS, Android, and Windows devices. All from a secure, cloud-based dashboard.
Quickly configure email, Wi-Fi and VPN profiles ‘Over-the-Air’, approve or quarantine devices, and distribute public or corporate apps from a unified dashboard. Enjoy security and management tools to protect from security threats and prevent data loss, ensuring GDPR compliance.
Protect from malware, stolen or jailbroken devices, and unauthorised user behaviour; Set granular security policies for specific devices or personnel; Or remotely locate, lock, and wipe lost or stolen devices; And grant secure access to work documents in an encrypted container.
In just a few clicks, devices can be enrolled – so you can start taking control of your mobile workforce, including BYOD.
Further reading
- WSUS and SCCM third-party patch management
- A buyer’s guide to Patch Management Software
- On-demand webinar: How to develop security vulnerability management programmes
- What is a Vulnerability Scan and does my company need one?
- Pros and cons of outsourcing your Cyber Security – In-house, MSSP, or Virtual SOC?
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24x7x365 from our ISO27001-accredited UK Network & Security Operations Centre (NOC/SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.