Today’s technology gives ease of access to information anywhere and anytime. Many businesses have staff using personal devices for their “on the go” roles. Does your business have standard operating procedures that dictate these individuals to handle data all in the same way? Are those procedures specifically tailored to keep your company within compliance?
Employees that use their own phone, or tablet, for work purposes may have sensitive data about clients, customers, prospects, suppliers and colleagues. Have you, as a business owner, considered the implication of BYOD on new compliance legislations? A BOYD Policy is an absolute must, providing clear guidelines on who in your organization gets to use their own devices and guidelines for setting restrictions on that device. It’s a give-and-take situation where the employee has the ease-of-use that BYOD brings while giving the employer peace of mind that steps are in place to mitigate risk.
Key Security Features:
– use a strong password, and some form of multi-factor authentication to open your device
– set the device to lock after a certain time
– set data deletion to be performed automatically if an incorrect password is entered too many times, or if the device is inactive for a period of time
– turn on any “find my phone” feature your device has available
– avoid public WiFi as best you can, or at the very least, assess it’s security before joining
– do not download any unknown or untrusted applications
Further to the above “find my phone” option, you’ll want the device to be accessible remotely where data could be deleted on demand in case it is lost, or stolen. Don’t forget to set permanent deletion so data doesn’t just sit in a devices’s waste management system (still accessible to a hacker). Also, as a business owner, you will want to ensure you can remove business data from any device of an ex employee who’s left the company without providing access for removal.
A large part of compliance is data collection and retention. It should be in your BYOD Policy that there should be a time limit on the retention of personal data (unless any legal obligation dictates you keep it for a longer period of time).
One “device” that is often forgotten about is the USB stick. If anyone in your organization uses a USB stick to transfer data, including personal data, it must be fully removed from the device and not simply copied and left to sit. It is also a good idea to encrypt any removable storage devices.
Finally, and most importantly, business owners must ensure (as part of the BYOD policy) that staff understand what constitutes sensitive data and their obligations as caretakers of that data on your behalf.
Do you have your BYOD Policy up to date? Canadian compliance standards require organizations have their policies and procedures documented and available for reporting or review at anytime. Are you ready today?
As the number of devices in the workplace skyrockets, it’s better to embrace these changes with caution than to ignore them entirely. To learn more about BYOD, reach out to us at 604.931.3633.