Mobile devices have forever changed the way we conduct business, but being “always on” carries with it a real threat of corporate data loss. As your company develops a mobile device management policy to address this risk, take the following best practices into consideration:
1) Ask your employees what they need from technology. Your business has a diverse workforce, and there is no better way to find out what they need their technology to accomplish than to ask them directly. Conduct a survey of your business’s employees, and ask them what they need from their computers, mobile phones, voice and data plans and devices so that you can understand their mobile requirements.
2) Determine the levels of support your workforce will need. Not all employees will need the same level of support for their mobile devices. Consider creating three tiers of mobile device support—tier one users would qualify for corporate devices that are provisioned with PIM and business applications, tier two users would have employee-owned devices that are managed and supported by your company, and tier three users would have employee-owned devices with limited connectivity and no company support.
3) Treat mobile devices like corporate–owned PCs. As you build your mobile device policy, reserve the right to manage all mobile devices that have access to company resources just as you would manage company property—even if those devices are employee owned. Make sure employees know that you will be installing your company’s security profiles on their devices as a condition of access to the company’s resources.
4) Have a plan for isolating sensitive corporate data from personal data. There are several ways to achieve this separation, so be sure that whichever method you choose allows you to “wipe” corporate data from an employee-owned device that goes missing or has been stolen.
5) Make sure your policies are strong enough to prevent data security breaches. Ensure that emails are encrypted while in transit, set forth policies for minimum PIN lengths, prohibit simple passwords and set up autowipe thresholds that prevent cybercriminals from easily guessing passwords. Also consider autolock options and remote wipe features that can ensure data won’t be leaked in the event the device is stolen or lost.
6) If your company is highly regulated, consider disabling certain mobile features. If you’re building a policy for a company in financial services, healthcare, insurance or the public sector, consider preventing employee access to cameras, app stores, browsers, YouTube and explicit content. Blocking these features, in conjunction with tightening password requirements, enabling encryptions and implementing authentication policies, can help your company meet strict regulatory compliances.
7) Include mobile devices in your acceptable use policies, and don’t grandfather in existing devices. Develop specific stipulations that govern the use of new technologies, like smartphones and tablets, and be sure to cover specific risks associated with each type of technology. Take time to ensure employees understand that the updated policies may include a full wipe of their device when the employee leaves your company. Advise employees that using their personal devices for work may impact their privacy, and let them know that company information on personal devices is subject to data discovery in the event of litigation.
8) Determine if your company needs a tiered reimbursement policy for voice and data services costs. Many mobile carriers are moving toward unlimited data plans. However, double check to see if you need to create reimbursements for employees whose corporate use of devices exceeds your company’s data plans, and remember to proactively monitor ongoing voice and data usage expenses.
9) Identify which users need which enterprise-class applications. Start this process by considering the applications all employees will need—i.e., simple email, productivity and collaboration tools, communication platforms—and then layer on dedicated applications based on the individual user’s needs, like CRM access, finance or logistics applications.
10) Require employees to back up their own personal data. A good mobile device policy asserts the right to wipe the device if it is lost or stolen or if the employee leaves the company. However, ensure employees know that it is their responsibility and not the responsibility of your company to store and/or back up their personal information and data.
11) Require that employees understand and agree to the company’s acceptable use policy. Make sure this happens before the employee is granted access to the corporate environment. Employees are far more likely to follow the rules and far less likely to create security issues if they are aware of the policies in place to keep corporate data secure.
12) Define what happens when employees fail to comply with the company’s mobile device policies. Consider ramifications for noncompliance, and suggest to leadership that failure to comply with the mobile device policy could result in the suspension of any or all technology use, disciplinary action or possible termination of employment.
13) Revisit the policy on an annual basis. Technology evolves quickly. Be sure to revisit your policy once a year to ensure that it is current with trends and devices.
Want to learn more about managing employee-owned devices? Read our full offering of security and compliance services, including Mobile Device Management.