Most employees have organizational data on their personal devices, should you be "managing" them?
The workforce is returning to “normal” following the pandemic, which means that more organizations are adopting a hybrid work schedule or even opting to work from home full-time. Over the last year, organizations have had to adapt to an influx of personal devices being used for work-related activities. Now, things like mobility, security, and mobile management solutions are top priorities for small businesses, and certain questions arise – should small businesses manage their employee’s personal devices? Is there a way to keep sensitive company data safe?
Employee monitoring is legal in the U.S., and monitoring laws give employers a considerable amount of rights to monitor employees’ activities on workplace devices (which should be backed up with valid business reasons). If you’re wondering if the employee monitoring laws apply to personal devices, they do to an extent. It is legal to monitor employees’ personal devices under set policies, such as “bring your own device,” known as BYOD, in which personal devices are used for work-related reasons and can be monitored within reasonable limits. It’s important for a company to figure out the policy best suited for their needs and scope of data protection because employee monitoring can be a touchy subject. Business owners should be aware of privacy laws and careful to respect the data privacy of their employees. If you've never implemented a BYOD policy, along with an acceptable use policy, that is a great place to begin.
Why would you need to manage and monitor employee devices?
Not every organization may see benefits from managing and monitoring their employees’ devices. However, if your organization has critical, sensitive data –coupled with a large margin of financial impact if it were to get into the wrong hands (whether through a hacker or a terminated employee) – you may want to consider creating a BYOD mobile management policy for the protection of your information assets.
Monitoring and managing employee personal devices will help to protect your company from malware attacks or data leaks. The reality is, the attack surface is expanding through mobile, which creates new potential for a hacker to gain access and extract data from your organization’s internal systems. Monitoring and managing the devices that are used for work-related activities are now considered basic, necessary security measures.
What is a BYOD policy?
BYOD stands for Bring Your Own Device and has been a growing trend for several organizations. Employees bring their own phones, tablets, and computers to the workplace for use and connectivity on a secure, corporate network. Why wouldn't we want to take advantage of the power of those devices that are already in our employee's hands?
There are several benefits to adopting a BYOD policy, including reducing the cost of equipment, reduced office space required – especially as several workers are now working from anywhere off-site – and a decrease in IT staff burden since employees often maintain their own hardware. However, along with benefits come risks. With BYOD policies, employee-owned devices can potentially expose security vulnerabilities not directly supervised by IT staff or addressed by currently in-place security solutions. This is where the need for an employee BYOD policy and MDM (Mobile Device Management) solution comes in.
Mobile Device Management
Ask yourself these questions: When an employee is terminated, what happens to organizational data on their personal device? Can you simply shut off their access to all corporate data on their device? What happens to saved or cached data on their device? Is it ignored, or is business data wiped? How is business data separated from a user’s personal data? Are you able to remotely remove all organizational data from their device, or does that require a wipe of their entire device? Is a complete device wipe violating their rights?
This is where a modern MDM solution comes into play. MDM is a mobile management platform used by IT professionals and departments to monitor, manage, and secure employees’ mobile devices that are deployed over multiple mobile service providers and operating systems.
Modern MDM solutions have the ability to "box in" any organizational data so that IT can monitor only that location, limiting access and control of the employee's personal data elsewhere on the device, yet providing complete control over organizational sensitive data. Years ago, Legacy MDM solutions could not segregate organizational vs. personal data, and could only erase the entire device after an employee departed. Current systems are much more advanced and targeted – providing much-needed remote data revocation capabilities. Employees need to access information wherever they are and at any time, but safely. An MDM solution is a way to achieve that.
Monitoring principles to consider
If your organization has decided to pursue an MDM solution for mobile management and monitoring, you will find there are multiple options on the market. Features will vary, but certain criteria are essential:
- The MDM has to be Cloud-based, so updates are automatic and essentially painless. It should always be fully managed and offer 24/7 remote monitoring.
- Passwords, codes, blacklists, and other security policies will need to be enforced and able to be remotely wiped to prevent unauthorized access to devices.
- Geofencing is key to restrict specific data, access, and applications based on location.
- Some form of alert systems for users attempting to bypass security restrictions and remote disconnection or disabling of unauthorized devices and applications.
- The MDM system has to be scalable, so new users and increasingly sophisticated devices can be accommodated easily.
MDM solutions, however, are only as useful as their implementation, and monitoring policies will only succeed if executed properly. Organizations need to be thoughtful and thorough when creating policies that meet their unique data privacy and security needs, so we suggest creating clearly defined goals and remain transparent with employees. 77% of Americans surveyed by Harris Poll said they would be less concerned about having their digital activity monitored as long as their employer was “fully transparent.”
Attempting to monitor your employees without their knowledge could potentially damage your company’s reputation and increase employee turnover. In the same survey, 70% of employees also indicated they would consider quitting if they found out they were being monitored without their knowledge.
It’s nearly impossible to avoid employees accessing organizational data on personal devices. In fact, it is proven to be a positive, productive thing to allow it. However, the right policies and a modern MDM solution can protect your company’s sensitive data, especially if you’re faced with a tight IT budget. In many cases, it has proven to be more cost- and time-effective to implement a BYOD policy and monitor personal devices through MDM software vs. providing organizational-owned devices. Adopting a BYOD policy and approach, through MDM, allows us to monitor, manage, and secure employees’ mobile devices over multiple mobile service providers and operating systems – instead of purchasing computers, phones, and tablets for all of your employees and having your IT department keep track of them all individually.
Each organization must look at how important its data is, the level of sensitivity, and gauge the risk to know who and what needs protection. Data is an asset and if it’s compromised in any way, what would be the financial or reputation consequences?
Here at InsITe, we can help you navigate BYOD and MDM solutions, and help you identify the solution that best meets your needs. Once we know your priorities and needs, we can also offer mobile integration services, Cloud solutions, and manage the systems that tie it all together.