Bring your own device policy develops a need for key best protection practices after WannaCry ransomware attacks creates an immediate demand from businesses for stronger cyber security and patch installations.
After WannaCry saw businesses worldwide held to ransom, the need for better cyber security and installing the latest software patches has become a high priority.
To protect from cyber-attacks, best practice recommends updating software, running antivirus, and backing up data. But this is not always quick and easy to do – especially if the business has a bring your own device (BYOD) policy in place.
Many employees now use their personal devices for business. This offers the convenience of being able to work remotely and reduce the cost of managing IT for the business. But because it’s a personal device, it is also natural for employees to want to keep control of it.
In other words, how can a balance be struck between personal privacy and protecting business systems and data which the device might have access to?
With the agreement of the employee, businesses can use Mobile Device Management (MDM) software to check that personal devices used for work, such as smartphones, tablets, and laptops, are updated.
However, this software can also track a device’s location and potentially wipe its data remotely, if it is stolen for instance. This presents something of a dilemma for the employer and employee.
There is a risk that employees would feel pressured to agreeing to such software being used – even if for positive reasons – or that it is implicitly giving the employer permission to spy on them.
The major anxiety for employees surrounding MDM is the danger of either losing personal data or it being seen by other people outside of their private circle. If the device was stolen and the company chose to wipe it, personal content like family photographs, could be destroyed alongside business data.
The concern for business is that by not having such controls in place, they may not be able to prevent unauthorized access to business data or systems. Regarding their employees, the concern for business is that their anxieties are not unfounded.
Even a simple connection to a company system like Microsoft Exchange ActiveSync means that IT staff could remove or delete personal data from an employee’s phone. MDM potentially increases this access to make photographs, private documents and browsing history accessible to employers too.
Furthermore, if the business faced litigation or were involved in an official investigation of some sort, the employee’s phone, along with their personal content, might be seized and the content viewed by investigators, lawyers, a jury and judges.
While employees’ concerns are valid, if the business clarifies what the MDM does and why it is important, this could go some way to building trust and agreement.
While small businesses might not have a dedicated IT specialist or the technical know-how to implement MDM, having a brief and honest chat with employees is unlikely to be enough to allay their concerns.
Developing an acceptable use policy for BYOD is best practice, but technical language or legalese could further confuse employees who might not quite understand what they are agreeing to. What is required are BYOD policies that are easy to understand, transparent and updated regularly to maintain their effectiveness.
While it is easy to frame the concerns around MDM as a conflict between maintaining personal privacy and keeping business systems safe and data confidential, the reality is different.
Attacks like WannaCry pose a threat to both business and individuals because any of the information on an unprotected device could be held to ransom, stolen or corrupted.
Security is not something just for IT staff to deal with, it is something everyone has to be involved in for it to succeed. This will require regular and practical training to boost understanding and develop trust. With that in place, employer and employees are more likely to work together to combat potential cyber-attacks in the future.
Three steps towards cyber safety for SMBs:
- Assess yourself
AVG’s Small Business IT Security Health Check is a starting point to assess how strong the digital security of your business is. The results point out practical steps SMBs can take to re-assess cyber security.
- Take advice
Check the best practice for your region. Official advice recommendations from US-CERT include applying relevant patches, enabling strong spam filters, and ensuring antivirus software is set to scan regularly.
- Educate yourself
While BYOD has many benefits, understanding the pitfalls is essential to building a successful policy. AVG’s free Bring Your Own Device eBook will guide SMBs and help to construct a BYOD policy that is beneficial for everyone.
June 12, 2017