This is the SECOND blog in our series discussing Effective IT Asset Management during COVID-19. Our first blog explained how to Manage the Productivity of Your Remote Workforce, while this article outlines the steps you should take to secure your remote workforce during and after the COVID pandemic. In our final article in this series, we will and explain a few of the best-practices that you should follow to Position Your Company for Global Resilience.
COVID-19 radically changed the way we do business. Things that used to be absolutely prohibited in the workplace have now become acceptable and nearly normal. More employees are taking advantage of their company’s Bring Your Own Device (BYOD) policy, which allows them to use personal devices to access enterprise data and systems—from inside the office or anywhere around the world. If you stop to think about the implications of this policy, the experience can be mind-boggling.
Companies, of every size, are entrusting their employees who may know little or nothing about cybersecurity threats and mitigation strategies to find and implement the most appropriate defenses to monitor and protect their own personal computing devices. Employees are now tasked with installing the right tools, configuring them for optimal usability versus security, and maintaining their own equipment in the face of an ever-changing world of vulnerabilities and cyberattacks. As a business leader, you might be asking yourself, “What can I do to mitigate some of the risks associated with BYOD?”
The answer is twofold. From the human resources side of the equation, you should implement security awareness training, which links back to your organization’s security culture. From a technical perspective, you should dedicate a team to monitor, test, and validate that your BYOD policies are being followed and that your controls are working.
Employees are your first line of defense against cyberthreats. Training them on cybersecurity best practices creates a culture of accountability and ensures that your security policies protect your company from human errors and vulnerabilities commonly found in business applications such as Microsoft Office and Adobe Flash. The fact is that Office 365 applications come with some inherent vulnerabilities—especially when system administrators do not follow proper security measures and rely entirely on non-Office 365-specific security solutions for protection. Given proper training, all your employees should be able to understand the concept of inherent vulnerabilities, identify phishing schemes, recognize when and where malware might be running, and help your IT team thwart off these and other types of cyberattacks.
The second part of the solution is to implement an effective IT Asset Management system that wraps some controls around your BYOD policy. The process of gathering information about every device (i.e., asset) that has the privilege of connecting to your company’s systems and accessing your data from local and remote locations is critical to effectively managing your organization’s cybersecurity. According to Tom Scholtz, Distinguished VP Analyst, Gartner,
“The objective is to provide an ecosystem that balances the imperative to protect the enterprise with the need to adopt innovative, risky new technology approaches to remain competitive.”
Companies are becoming less concerned about the cost of their assets, and more interested in tracking the information that each asset contains—along with the access it gives your employees. ITAM information is critical not only for keeping track of your company’s assets, but also for helping your IT team enforce your company’s BYOD rules. When executed correctly, embracing a corporate BYOD policy far outweighs the potential risks. Employees feel more comfortable and productive working on familiar devices, and BYOD cuts down on your company’s hardware and software costs. ChangeGear data, for example, remains safely stored behind your institutional firewall protection while providing remote users access through the user portal. The following steps will help you secure your remote workforce now and keep it protected in the future:
STEP 1 – Define Acceptable Use Guidelines
Acceptable use policies help prevent viruses, trojans, and malware from entering your system through unsecured websites and applications. At a minimum, you should discuss the following questions with your IT Director so they can define acceptable use policies:
- What applications are employees permitted to access from their personal devices?
- What types of websites are your employees banned from accessing while their personal devices are connected to your corporate network?
- What company-owned systems and files are employees allowed to access using their personal devices? For example, emails and calendars may be permitted, but access to confidential documents may be restricted.
- What other policies are important to your business? Make sure to clearly mark your boundaries so there are no gray areas.
STEP 2 – Establish Security Policies for All Devices
Before you give employees the freedom to access your company’s resources from anywhere in the world, you need to establish some ground rules. Users tend to resist complicated passwords and screen locks because they are inconvenient. But unsecured devices can expose your sensitive data to malicious attacks. At a bare minimum, your BYOD policy should include the following security guidelines:
- Data encryption should be enabled on home networks, and the use of public networks should be prohibited (unless accessed through a VPN).
- Establish a continuous process improvement policy to review and implement modern encryption technologies such as homomorphic encryption. For more information, read how IBM Makes Encryption Paradox Practical - IEEE Spectrum.
- Strong alphanumeric passwords should be used for all laptop computers, smartphones, and tablets. Desktop computers should follow the same rule, even though they are less likely to be compromised while sitting on your employee’s desk at home.
- Decide where your company’s valuable data will be stored. On a BYOD’s local hard drive, cloud storage, USB drive, or somewhere else? What types of files, if any, are permitted to be stored locally?
- Inactivity timeout controls should be put in place, so that devices are automatically locked after sitting idle for a certain amount of time.
- Nowadays, running an antivirus security application is a must. Will you require employees to install your specific security application, or will they be allowed to choose and implement their own solution so long as it meets your criteria?
Your security policies should be built around the guidelines and compliance requirements for your industry and business size. For example, well-established healthcare or finance companies that routinely store sensitive data will have far more restrictions than a small startup company.
STEP 3 – Communicate Your BYOD Policy to All Employees and Contractors
The key to getting your employees onboard with your BYOD policies is building a trusting relationship through honest and detailed communications. Let your employees know exactly what is acceptable and what is not. Keep in mind that balance is important. Setting too many restrictions can make your employees feel like you are infringing on their personal freedoms, while a weak BYOD policy will put your company at risk.
BYOD policies are only successful if the people using them understand and abide by the rules. A successful BYOD training program can mean the difference between developing a productive workforce and you having to explain a data breach to your Board of Directors. The best way to avoid the latter situation is to clearly communicate your policies through ongoing employee security training.
Make sure all your employees sign an agreement acknowledging that they have read and understand your BYOD policy. This will protect you and your company from liabilities associated with employees who engage in illegal or inappropriate behavior using their BYOD devices.
STEP 4 – Leverage the Power of IT Asset Management (ITAM)
The sudden and unplanned need for a large percentage of your company’s employees to start working from home puts extreme pressure on your IT department in various ways:
- Processes fall to the wayside. They are either not followed at all, or loosely followed, so employees can “just get the job done” as fast as possible. As a business leader, it is about risk management. If you put too much pressure on your organization to move too fast, you should know that process adherence will suffer. But traditional processes do not always support unplanned changes and may need to be refreshed anyway.
- One of the direct results of an abandoned process is under-licensed software. Giving people quick access to software and sorting out the licenses “later” is one of the most common approaches (mistakes) that IT teams make during a crisis. Unfortunately, “later” rarely comes and the issue of using software illegally never resolves itself.
- Companies also experience over-licensing issues, as the need for specialized software applications spikes during times of crises. Remote workers suddenly need immediate access to programs like Zoom, WebEx, and Microsoft Teams, which forces companies to buy more licenses without having enough time to evaluate their actual long-term requirements.
- As a result of the issues listed above, IT departments almost always fall into the “licensing trap.” Citrix and/or Remote Desktop Services (RDS) is the easiest way to quickly give everyone access to software, but it is also the easiest way to become non-compliant with many software vendors. Companies end up paying extra money for licenses that they really do not need/use, or they get stuck with a huge bill for incorrect usage of software hosted on centralized servers. Microsoft Office hosted on a Citrix server is just one example of a “licensing trap,” but other big-name vendors have similar rules and penalties.
SunView Software’s ChangeGear Asset Management module was designed to help everyone in your company gain a deeper understanding of your organization’s tangible and intangible assets across their lifecycles. Its advanced capabilities can be used to manage valuable company assets such as computer hardware, vehicles, electric generators, artwork, and just about anything else that your company owns. Important attributes including an asset’s value, depreciation, warranty, contract status, Software as a Service (SaaS) subscription information, and more are all monitored in real-time, keeping your entire organization up to date on the status of the assets that your employees are interested in.
ChangeGear’s Asset Management module includes built-in auto-discovery, dependency mapping, and configuration auditing that allow organizations to easily manage their entire virtual and physical infrastructure. Your IT department can rapidly deploy and utilize ChangeGear’s Resource Discovery Expert (RDE) to map and manage critical resources such as business services, hardware, software, licenses, users, documentation, and configuration information within one federated database—a system in which several databases appear to function as a single entity.
STEP 5 – Set Up an Employee Exit Plan
At one point or another, employees with devices connected to your BYOD network will end up leaving your company. Failure to remove their access to company networks and data can lead to major security issues down the line. Make a BYOD exit checklist part of your exit interview process. Did your IT department:
- Disable the ex-employee’s access to company email accounts and all other company-owned systems?
- Change the passwords for the ex-employee’s company-wide accounts that cannot be disabled?
- Purge all the data that was stored in the ex-employee’s disabled accounts (unless that data needs to be retained for legal purposes)?
- Properly clean and sanitize the ex-employee’s company-owned equipment to remove dust, debris, mold, germs, COVID-19, and other contaminants?
With the onset of COVID-19, BYOD has become an unavoidable necessity for your business to continue operating. A well-written and well-communicated BYOD policy that covers all the bases can empower your employees to work more productively, feel more fulfilled while doing their assigned work, and prevent costly data breaches and malicious attacks from damaging your organization.
 Gartner (2020). Rethink the Security and Risk Strategy. Retrieved from https://www.gartner.com/en/publications/rethink-security-risk-strategy-ebook-pd.html