Putting people at the heart of your IT policy: Five tips to get it right

IT security policies must evolve to embrace sensible policies for bring-your-own-device (BYOD), says Chris Mayers.

Chris Mayers
Chris Mayers

Recent research has revealed that 74 percent of organisations are already implementing or plan to implement bring your own device (BYOD) policies. This, along with a rise of issued devices across the board, could have profound implications on the security of potentially sensitive data across all sectors. With this in mind, it is critical that all firms have a comprehensive IT security policy that employees both understand and adhere to. 

Today's highly mobile work environment has pushed productivity beyond the constraints of physical offices, traditional working hours and even corporate-issued devices. Employees increasingly feel they need to be connected all the time and are using their own means to do so.

In response, organisations need to ensure that they have combined policies, procedures and technologies to protect their information assets regardless of where this electronic information is used, is accessed or resides. So much of modern IT security is dependent on written IT policies, yet how many staff actually pay attention to them? And coupled with this, how many departments regularly update them to address these ever-evolving issues?

In today's digital era, firms cannot afford to simply leave security policies on the shelf. Technology is evolving, solutions are changing but how many IT departments are doing the same on such a regular basis? Organisations need a set of ground rules to highlight expectations and encourage good behaviour. By constricting employees and preventing them from sharing and collaborating, organisations take the chance that their workers will break the rules – such as using insecure storage or file transfer apps – to reach their end goals, ultimately leaving the company at risk.

So how can firms ensure their policies keep up with their employees' ever-changing demands? Here's five tips to help your company stay ahead of the curve.

Establish a firm BYOD policy

Whether organisations are prepared or not, employees are increasingly bringing in, and using, their own devices for work – and this could leave an organisation at risk of its data being unsafe.  Policies must be established that clearly indicate which people are able to use their own devices for business purposes, how responsibilities are allocated and the sensitivity of data entrusted to their care.

Define what apps / data are permitted for devices

IT policies should specify exactly which apps are permitted or excluded for work use. They must then define what data is accessible – and whether differences apply to corporate or personal devices.

Monitor data usage

Employees must recognise that the ability to use their own device is not a right but rather a privilege, and the organisation will need to collect information from the device and monitor versions of software, etc. On the other hand, firms must be aware that they cannot control what employees do on their own devices.

Employees must recognise that the ability to use their own device for business purposes does come with strings attached. The organisation will need to collect information from the device, monitor versions of software, and so on, using enterprise mobility management solutions. So this arrangement must be governed by an acceptable use policy (AUP) that defines the rights and responsibilities of both employees and the organisation

Separate personal and corporate data

As part of the acceptable use policy the organisation should explain what information is collected from the employee's device.  It should also provide guidance on permitted employee activity on these devices, including access to social media, file sharing resources and web-based personal mail. This is where enterprise mobility management technologies can be strategically applied, to automatically separate work and personal usage on the same device – keeping personal devices personal.

Automate policy control where possible

Of course, the enforcement of these policies should be automated as far as possible, taking advantage of new enterprise mobility management capabilities. This keeps policies relevant to current staff mobile usage, and avoids relying on end-user actions. Automation means that short cuts cannot be taken, and insecure means are not used to access sensitive information.

Final thoughts

We all want our staff to be as productive as possible, yet in the past our security policies have stifled creativity and innovation, rather than embracing it. While, of course, protecting valuable and sensitive data is critical to the future of all organisations – and with the influx of devices infiltrating all levels of business – now more than ever policies must play a key role to safeguard firms against lost or stolen devices, unsafe apps and even cyberattacks. Providing a safe environment for sharing, collaboration and the future ways of working is key, and an evolving IT security policy is central to achieving this.    

Contributed by Chris Mayers, chief security architect at Citrix.

Sign up to our newsletters