Q: I recently signed on a new customer, and many of their employees work remotely. They brought me on to support their servers, PCs, and some corporate laptops, but I know their employees are using other tablets and mobile devices to access corporate information. With so many of their employees accessing data remotely, how can I protect them properly? How do I account for remote and likely unsecure access to the server and networks?
From what it sounds like, this customer doesn’t have a strategy for supporting BYOD (Bring Your Own Device) policies. While this is unsettling, it also opens up a promising opportunity for your MSP business to step in as their advisor and implement the necessary policies to support their remote workforce.
BYOD has become a hot topic for small businesses and IT service providers in recent years as more and more employees are using their personal devices to access work files. In fact, a recent Forbes article notes that 85 percent of employees working remotely use a mobile device for work purposes. It’s even something we’ve had to account for. That’s why we sat down with Scott Graham, the VP of IT & Operations at Intronis MSP Solutions, to find out how he created and supports BYOD policies for employees.
Here are Scott’s tips for MSPs looking to support customers with remote employees:
1. Centralize corporate data
MSPs can protect their customers from a data breach by centralizing each customer’s corporate information. Having a central repository for storing the data, on a shared network for example, will make it easier for you to manage the exchange of information. From there, you can set restrictions on which people or departments within the organization can access the data. I also recommend setting up the network so the data is readable but can’t be copied down to the local level. This will prevent employees from saving the information on their personal devices but still allow them to access it remotely.
There’s software available that allows you to control who has access to the data, and a number of services offer a secure mobile platform for businesses. Intronis ECHOshare, for example, lets end users securely sync and share data on their mobile devices and allows MSPs to manage restrictions, password protect files, and set expiration dates on shared projects.
2. Create a formal policy
Given the many risks associated with supporting BYOD policies, you need to document clearly defined rules and procedures for employees to follow. If there isn’t a formal policy, you risk having an employee make a critical mistake and the company potentially facing legal ramifications.
When you create a company-wide BYOD policy, keep in mind that you cannot support every device imaginable. If you try to support all types of smartphones, tablets, smartwatches, etc., you can’t guarantee you’ll get the results you want. There are far too many devices out there to support them all, so look at it in terms of what software tools you can support.
First, outline the product types you support. For example, note that employees can use any Apple or Android device that supports Microsoft Exchange up to a certain level. Then, define the specific plug-ins you support for Apple and Android products. As you define these standards, take into account industry regulations like HIPAA and SOX controls that require you to have a process for handling situations like lost or stolen devices.
3. Communicate the policy to employees
In my experience managing corporate IT departments, I always prefer to have open communication about IT policies with employees from their first day on the job to their last. An important part of this is having each employee fully understand the policy. It’s a good idea to offer training on security best practices and seminars on what could expose their personal information and the company’s information. If the policy is made clear to all employees, they will know to alert IT if they notice their smartphone powering on randomly or the microphone turning on, which are symptoms of spyware operating on their phone and pose a huge risk.
As a best practice, have all new employees sign a contract on their first day once they receive their company laptop. On their last day, have the employee sign back over the machine. This process ensures that there’s a full line of ownership for each machine or device used internally.
4. Deploy software with remote wipe capability
Another risk you need to account for is a situation where an employee loses their smartphone or tablet. If they’ve previously accessed corporate information on their phone, such as syncing their work email to their phone, it could present an issue. Ray Potter, CEO of SafeLogic commented in a CIO.com article, “A careless worker who forgets [his] unlocked iPhone in a taxi is as dangerous as a disgruntled user who maliciously leaks information to a competitor.” This happens more often than you’d think, and that’s why you need to have a policy in place to make sure it’s managed properly.
If you deploy software on employees’ devices that has remote wipe capabilities, you can prevent sensitive information from being exposed. In order to send a wipe command to the device, you first need the employee to tell you they’ve lost their phone. Make it a requirement for employees to notify management of a lost or stolen device in your BYOD policy so you can act fast. Communicate this notification process to each employee and make sure it’s understood across the company.
Following Scott’s four steps, your customer’s employees will have a clear idea of what you support and the risks associated with accessing their work remotely. As you begin to implement BYOD policies across more of your customers, tailor the devices and software you support to their needs and requirements.
Ask an MSP Expert is a weekly advice column answering common questions from MSPs and IT service providers. It covers topics ranging from pricing and selling to marketing and communications—and everything in between.