That said, it may surprise you to find out that a growing number of security experts believe companies should follow the second option. Too many employees are skirting the policies to begin with, so you may be better off forbidding personal devices to connect to the network all together, especially if your industry is highly regulated.
“If the risk appetite for a company is very low, meaning it is heavily regulated and has a low tolerance for risk, a BYOD program may not be appropriate,” said Titus. “Regulated companies also must be able to prove to auditors that their BYOD programs are effective.”
Instead of BYOD, Titus suggested a C(hoose)YOD option instead. Here, the company owns the device and its security but employees are allowed to choose from a small pool of devices keeping them part of the enterprise security program.
If you need to discontinue the program for any reason, it is important to determine how to clear company confidential data from employees’ personal devices without wiping out any personal information. “This can be a touchy situation,” said Titus, “and it’s important to partner with legal and HR before even temporarily terminating the program. Communication has to be top of mind and it must be balanced with other security awareness provided to employees to ensure you’re not creating cyber security fatigue.”
A failing BYOD policy can be devastating to a business, risking the loss of intellectual property, personally identifiable information of customers, and financial data – not to mention the exposure of the end user’s data. All it takes is for one device not be patched, not have standard anti-virus software or other security protections, be misconfigured but on your network, or to be lost or stolen for your company to be the latest victim of a major data breach.
Sign up for CIO Asia eNewsletters.