tics (age, operating system, hardware, etc.). Lastly, there’s the issue of software licensing. Many enterprise software license agreements require companies to maintain administrative control over the devices to which that software is licensed. Even if that requirement is not in each agreement, installing licensed software on an employee’s personal device increases the likelihood they violate another use term of the license agreement (ex: geofenced access). Of course, in certain circumstances it might be all right to allow employees to use personal devices, even preferred, but those come mainly out of necessity, such as a small- or medium-sized employer (SMB) that does not have the budget to provide work devices for all employees, said Sami Mäkiniemelä, chief security officer for Miradore. In those situations, employees should use identity verification tools (such as two-factor authentication) to access company software and only have the minimum necessary access to company information. And, BYOD policies should be implemented carefully and alongside the proper device administration software to ensure company data and infrastructure stay secure, Miradore states. Even so, Mäkiniemelä acknowledged that ensuring monitoring of endpoints on an employee-owned device can be “a somewhat thorny” issue for companies. “Reasonable people can disagree about the degree to which it is appropriate for employers to restrict the usage of an employeeowned device; however, most will readily agree that managing employee-owned devices is never the ideal option,” he explained. Mäkiniemelä suggests the best possible solution is to adopt a “choose-your-own-device” policy. Unlike a “bring-your-own-device” policy, employees are not using personal devices. Instead, the company provides employees – upon hiring – with a list of computers and mobile devices from which they can select the products they would use. Choose your own devices are owned and managed by the employer, but the employee is allowed to use the devices for work and personal needs. This model lessens the burden on IT staff by decreasing the number of devices it needs to support and allows the staff to automate certain maintenance/security tasks through mobile device management software. At the same time, it allows employees the flexibility to choose the device that works best for them. Policy Clarity However, if the use of personal devices is necessary, Mäkiniemelä said the first step is to write a clear, acceptable and robust policy that governs acceptable use, network access/ security, device monitoring and technical support procedures for these devices and to establish what data/ permissions the employee is required to provide to the company to assess productivity, device security, etc. “Without policies like these in place, employees won’t have the direction they need to appropriately separate work and personal use of their devices, and it potentially opens the employer up to productivity, cybersecurity, compliance and legal issues,” Mäkiniemelä said. “However, writing policy for policy’s sake is not an effective use of time. Companies need to develop systems to ensure policies are realistic, reflecting current best practices, and are enforceable,” he said. “Once developed, employers should also invest significant effort into making sure all employees understand their obligations under these policies.” Miradore suggests employers writing such a company policy may want to include: A list of permitted devices. To ensure the company can provide technical support and that devices are compatible with key software, the company should maintain a list of permitted work devices. For example, if the company regularly uses software only available on machines running Microsoft Windows, employees should only be allowed to use Windows devices for work. A list of permitted (or prohibited) applications. Some pieces of software can pose a serious security risk if installed on a device used for work purposes. (Remote access software, keyloggers, etc.) To get ahead of this, companies should consider creating a software blocklist or allow list that employees must agree to follow as a term of their employment agreement. Data ownership. To mitigate the risk of potential intellectual property disputes, the company should outline clearly who owns the work data stored on each employee’s device. Security standards. To ensure company data and infrastructure remain secure, employers should outline their expectations for each employee’s cybersecurity practices. At a minimum, this policy should include minimum requirements for password length and complexity, two-factor authentication use and device inactivity screen lock timing. Privacy disclosures. To mitigate the risk of employees claiming the company violated their privacy, all employee monitoring activity should be clearly and explicitly disclosed in a written policy. This helps protect the company from liability, helps employees feel like their privacy is being respected and helps IT managers understand what constitutes appropriate employee activity monitoring. Costs. Whether the employee is using personal or company devices to complete work tasks, the policy should outline clearly who is responsible for any costs associated with the device (cell service plans, maintenance/repair, etc.) to streamline account processes when these costs are incurred. Separation of Work, Personal Info If an employee is using a personal device for work, the company should refrain from tapping into access to the employee’s private information such as visited websites, phone calls or messages, Mäkiniemelä said. 27 REMOTE WORK SOLUTIONS rwsmagazine.com
RkJQdWJsaXNoZXIy NTg4Njc=