BYOD: How to Safeguard Your Company's Data with Policies and Procedures That Address Visual Security Threats
By Rebecca Herold, President of SIMBUS LLC, CEO of the Privacy Professor and 3M Privacy Consultant
The devices used for personal and work-related tasks are completely intertwined today, as employees often prefer the simplicity and flexibility of using what they already own, and businesses view this as a way to obtain increased productivity from their workers. While this can be a win for work-life balance, it is also a rising security risk – especially when you consider that only 45 percent of people use updated security controls and software on the devices they own. Consequently, CIOs, CISOs and IT managers tasked with safeguarding company data must work together to manage privately-owned devices.
This task is seeing mixed results. To alleviate security risks at end points, some companies leverage corporate cloud storage services, VPNs, updated malware software and a myriad of other methods to protect company information accessed on personal devices. More often than not, companies only have one bring your own device (BYOD) requirement: employees’ devices must be password protected. That’s simply not enough. Nor is it enough to focus on just cyber threats, when physical threats such as visual hacking persist.
Address Physical + Visual Security
Physical and visual security solutions tend to be less obvious when developing a security plan, but that doesn’t mean they are any less important. Companies need to consider the risks of visual hacking when employees are using their devices in and out of the workplace. As visitors, maintenance and contracted workers move through the building, it is crucial that they can’t see sensitive information on desktops or mobile devices. Privacy screens, such as the privacy filters from 3M, are a necessity for visual security no matter where employees are working.
BYOD Policies vs. Procedures
To address physical and cyber security threats for personal devices, CIOs and CISOs need to work closely with their IT managers to create plans tailored to their organizations. The biggest mistake is when a BYOD policy isn’t part of the plan. However, a close second is making procedures part of the policy. They must be written and designed to work together, with a clear path for how procedures are used to carry out policies – but they should be separate documents. Policies provide the goal for BYOD security and apply to the entire enterprise. As such, policies are reviewed by, and provided to, many different business-enterprise audiences involved in ensuring a company’s security. Procedures need to provide the steps for how to comply with the policies. These steps are different within the business units and departments based upon their associated business activities. When businesses include one set of procedures within an enterprise-wide policy, they will quickly find that those procedures will not be feasible or even apply to all the business units because of the differences within the related business activities. When procedures are inappropriate or unfeasible, workers will not follow them, or may not be able to follow them, allowing malicious actors to find ways into the connected devices, accessing sensitive information.
Following is an example of a well-written BYOD policy:
The work areas and mobile computing policies apply to all computing devices and digital storage devices used to support Company X business and related activities, including those owned by the company, those owned or otherwise used by employees and contractors, and all other applicable computing devices and digital storage devices.
• Each personally owned computing or digital storage device (from this point forward referenced as bring your own device or “BYOD”) used to store, process or otherwise access Company X information assets must be approved by the appropriate Company X manager.
• All personnel using BYOD devices to access Company X business assets must follow all Company X information security and privacy policies whenever and wherever using the devices, and they must implement all Work Areas and Mobile Computing Policies requirements and the supporting Work Areas and Mobile Computing Procedures.
• All computing device screens must be clear of personal information or other confidential information when unattended to prevent inadvertent or deliberate viewing by unauthorized individuals in accordance with the Prevent Unauthorized Screen Viewing Procedures.
• All mobile and remote business-owned and BYOD devices must have Company X approved applications and tools loaded on them to accomplish remote lock, data wipe and location capabilities in addition to encrypting all Company X data, using approved anti-malware tools and implementing personal firewalls in accordance with the Remote and Mobile Computing Device Security Tools Procedures.
To ensure the BYOD policies are effective, the following is an example of a well-written procedure that would be one of many used to support compliance with the associated policy:
Preventing Unauthorized Screen Viewing Procedures
1. All individuals doing remote or mobile work on behalf of Company X must
a. Take mobile and remote working training upon being approved to work remotely.
b. Use company-approved or company-provided privacy filters to help prevent unauthorized viewing by others.
c. Be aware of the ability of others in nearby areas such as at airports, restaurants, conferences, on airplanes, and on balconies, to view computing screens and shield the screens appropriately to prevent unauthorized viewing.
2. Screensavers used on all computing devices:
a. Must be configured to hide the contents displayed on workstation screens, including through the use of privacy filters, and lock the workstation after an idle period of no more than 10 minutes [or the minutes value that is acceptable for your organization].
b. The screensaver must be configured to require a strong password, in accordance with the Company X Password Policies, to unlock the screen.
3. Company X employees, contractors and third parties must lock their computing device screens and systems when leaving the computing device unattended in secured areas and when not using them in public areas where others are within the vicinity.
4. Company X employees, contractors and third parties must ensure that unattended computing equipment has appropriate protection to prevent unauthorized access and theft.
As you can see, policies should outline holistic, higher-level goals. This allows policies to have a long lifespan. Procedures, outlined separately, should tie back to policies with specific details that support execution. Procedures can then be updated as technology changes without having to re-write the entirety of the security policies or plan.
Update Procedures as New Technology and Risks Emerge
It is important to keep in mind that new technology is constantly emerging to improve BYOD security. For example, the BYOD security procedures should protect data from external breaches but also internal audiences, including employees, contracted workers and third-party vendors. If any of these parties are allowed access to sensitive corporate data from their personal devices, auto-wipe technology should be used. This way, when an individual stops working for or with the company, the company can provide the greatest assurance that they no longer have access to corporate data on their personal device. Overall, data wipe procedures protect sensitive data from internal and external breaches that can lead to identity fraud and intellectual property being sold to competitors or on the dark web.
BYOD security procedures can also be added to address emerging threats, such as data skimmers that are being found in public charging stations. BYOD procedures should include protection from this by providing employees with portable, company-issued charging devices to use instead of the public charging stations – and requiring them to use these portable charging devices to prevent company data from being wiped.
Protecting Sensitive Data on BYOD Devices
Incorporating holistic security policies and procedures for BYOD in the workplace is a proactive, money-saving solution. When CIOs, CISOs and IT managers work together to form a comprehensive set of security policies and procedures for BYOD devices, they can help uphold data security while reaping the benefits of allowing employees to use their own devices.