“Developing a Smart Device Security Policy for Remote Work in the Post-Pandemic Era”

The rapid development of smartphones, the general digital transformation promoted by the pandemic and the transition to a hybrid work mode have resulted in the merging of the boundaries of work and personal life.

A few years ago, a large number of office workers started reading e-mails on their computers only on a weekday morning, but now most of the information lives and is easily accessible on a smartphone at any time of the day. You can read e-mails, connect to company meetings, access internal systems and documents. But with greater availability comes greater security risks. Therefore, if data protection is important to the company, it is important to develop and also follow a smart device security policy.

More convenient for the employee or safer for the company?

Enterprises approach smart device management solutions differently. Unfortunately, a very common management model is… not to manage them. But this choice creates unnecessary risks for the company, since the care of the smart device and data storage security is assumed by an employee who may not be knowledgeable enough to weigh the potential data threats and identify the best solutions to prevent them. Therefore, a more reasonable solution is to develop a security management policy for smart devices in cooperation with IT specialists, which includes all aspects from the moment of purchase of the device to its disposal. Thus, both the company itself and its equipment and data are protected. To make it easier to decide on a data management format, we can look at four types of management models. The simplest of them involves a company employee using a personal smart device, or the so-called Bring Your Own Device (BYOD), which can be used to access information necessary for work on a limited scale, such as just reading e-mails or connecting to online meetings. True, this approach causes the biggest headache for the IT support service – each individual user will have a different device, their performance, availability of operating systems and updates, access, etc. will differ.

From a security perspective, a slightly better approach is for the organization to define a list of supported devices, or Choose Your Own Device (CYOD). The employee chooses a smart device from an approved list, which is fully or partially paid for by the company. By narrowing the spectrum of available devices in this way, it is easier to provide IT support and apply simplified, unified security solutions. The golden middle ground between user convenience and company data security is the model in which the device is purchased by the company and given to an employee for use, or Company Owned, Personally Enabled (COPE). In this case, the company retains considerable control over the device, including the ability to define stricter security requirements, but the employee can also use it for their own needs – for calls or various personal apps, the usage policy of which is negotiated within the company. The strictest of all possible policies involves the company’s complete management of the device or Company Owned, Business Only (COBO). For the most part, this type of equipment management is used to secure specific processes, such as warehouse systems, but it is possible that in high-risk companies they are also assigned to the needs of employees. Absolutely no private data or anything else unrelated to specific work solutions ends up on these devices.

Will fix the borders

Each of these approaches has its pros and cons. In order to find the most suitable one for your company, you need to evaluate them from different angles. First of all, it is worth understanding whether the company is ready to pay for employees’ smart devices and their mobile and Internet connection. If devices are purchased for work purposes, it is necessary to determine how they will be managed – in large companies, the IT department will not run after each employee individually, so it is more valuable to implement an automated system, such as the LMT Mobile device management solution.

When assigning smart devices to employees, it is necessary to decide what kind of access they will have in the internal network – whether e-mails, online meeting sites and data storage will be enough, or whether some other special permissions should be created. If the company decides to purchase smart devices for its employees, it is preferable to do so with a well-known, reliable partner, and also to choose smartphones with the latest operating systems as possible. Before purchasing, you should evaluate the company and potential external (laws and regulations) requirements applicable to the devices that may impose restrictions on the origin of the devices.

You should also take into account the expected duration of use of the device and the availability of device updates. Otherwise, you may have to pay for a small financial saving, either with nerves when you fail to use the rights specified in the warranty, or, in the worst case, with the company’s data. Undeniably, a decision must be made about the mobile operator, the available data transmission, as well as the possibility of using or denying the use of VPN solutions. It is also worth considering additional protection – solutions designed especially for mobile devices – so-called firewalls. On the other hand, if you do not want to install a program on every smart device, LMT Internet Guard developed together with CERT.LV works at the network level, which protects against viruses, fraudulent pages and other threats.

Caring for employees’ smart devices continues even after the device has stopped working. There are various directives, regulations and legal acts that determine the procedure for their utilization, including the deletion of data. If an enterprise management solution is selected and the device is properly configured, data can also be deleted from it remotely. This is also useful in cases where the smartphone is lost or stolen. The statistics are not pleasant – 70% of lost devices are not returned to their owners. Therefore, it is important not only to ensure the inaccessibility of data by encrypting the device and turning on various security settings, but also to make backup copies of the data.

The policy on the use of smart devices will vary from company to company, but it is one tool to define the rather blurred lines between employees’ private lives and business interests, while strengthening protection against various threats.