How to Create a Secure BYOD Policy

As a managed services provider (MSP), you know the importance of cybersecurity. In an era in which we use more devices than ever before, it’s becoming increasingly crucial to have strong “bring your own device” (BYOD) and mobile device management policies to ensure company data remains secure.

Unfortunately, while BYOD offices are on the rise, few have adequate cybersecurity protocols in place to manage their employees’ use of personal devices. In fact, many businesses allow their employees to begin using their own devices immediately—without setting up additional security measures to prevent the devices from becoming vulnerable to risk. MSPs need to make sure their customers understand if they don’t have a well-developed BYOD policy, they’re exposing themselves to the risk of a data breach.

One of the most important elements of a BYOD policy involves mandating strong and unique passwords. While even the most basic BYOD policies require password protection for all devices and accounts, many don’t enforce password policies that result in effective passwords. Read on to learn more about what makes a good password and how you can create a secure BYOD policy.

How strong is your password?

When you think about password security, you should consider the strength of your current password. Most likely, it isn’t as strong as you think. Common, long-held beliefs about password best practices aren’t always right.

Common requirements—like using numbers, capitalization, symbols, and even frequently changing your password—don’t necessarily increase your security in a significant way. If anything, they might reduce it. Passwords that result from these policies tend to be harder for users to remember—but not harder for hackers to hack. Given these passwords are difficult to remember, users are also more likely to reuse them across devices and accounts—or to ask their devices to remember them. This makes accounts even more vulnerable to cyberattacks.

The ease of remembering passwords is important for a couple of reasons. First, it reduces the need to change passwords frequently due to the user forgetting their old password. Second, it reduces the reliance on password assistance tools like hints or storing passwords—both of which weaken the strength of a password.

Some basic questions to ask when trying to determine the strength of your password:

• Is it a single word? Even if it’s a relatively uncommon word, a single word is easier to hack than a phrase involving multiple words (also known as a passphrase, discussed in further detail below).
• Are you using numbers as logical replacements for letters? Standard replacements like zeroes for “o”s and fours for “a”s are easily detected and cracked by computers.
• Are you using the same passwords across accounts? To create a strong password, you should also focus on ensuring passwords are unique and non-generic for each of your devices and accounts. Otherwise, if someone cracks one of your passwords, they’ll have access to more than just one account.
• Are you employing password authentication protocols like two-factor or multifactor authentication? If not, it’s easier for a hacker to gain access to your sensitive materials.

Developing a BYOD policy

As device use continues to increase around the world, you should prepare for an increasing number of customer requests to help develop BYOD policies. While you should design these policies to meet the needs of the individual organization, there are some general considerations to guide the creation of any BYOD policy.

First, consider the regulations of the industry. With any BYOD policy, you should make sure companies are following industry regulations to prevent costly audits or risk assessments. Once you have a sense of the regulatory framework for your customers’ specific industry, you can begin establishing security policies for all user devices. These should include minimum required security controls—such as strong passwords and data encryption. You should also consider whether you can remotely wipe data from a lost device and if you should install specific security software on the device.

The next step is to define acceptable use guidelines. The purpose of these guidelines is to prevent malware and viruses from entering your system. They specify which third-party websites and applications your employees can access from their devices, as well as what company-owned assets they can access. Finally, you should make an employee exit plan that ensures—when an employee leaves your company—they won’t continue to access sensitive information.

It’s very important you fully communicate your BYOD policy guidelines to your customer’s employees. Without clarifying the rules, employees may violate BYOD policies without even realizing they’re doing it. In addition to regular seminars, it’s best to have a formal BYOD training curriculum to keep employees updated on your policies. For ideal coverage, it’s best to have employees sign an agreement acknowledging they understand the BYOD policy.

By following these basic steps and adjusting your policies to specific industries and business needs, your MSP can develop BYOD policies that keep your customers’ data secure—while still allowing customers to use their own devices for work where possible.