BYOD Policies in schools and in the work place should include what is considered both acceptable use and misuse of resources. Because many students and employees engage in personal activities on BYOD devices such as Facebook.com, twitter and scrabble, these applications and others are often active during work hours. They not only distract people from doing their jobs, they can also consume considerable network bandwidth which could negatively impact business critical applications such as connectivity to the CRM or even VoIP. If you think you are going to see a BYOD savings, you may want to think again.
“Aberdeen Group found that a company with 1,000 mobile devices spends an extra $170,000 per year, on average, when they use a BYOD approach.”
Tracking BYOD Traffic
Network administrators should consider setting up single sign on for all devices accessing the network, including BYOD they should also be monitoring BYOD traffic with NetFlow. This allows admins to track the username associated with every device accessing the network and in many cases the traffic including URLs is logged. Below is an example of our partership reporting with Enterasys NetFlow and mIAM exports:
BYOD Could Spread Malware
Because antivirus software has not yet readily available for many smart phones, administrators should consider deploying firewalls and IPS appliances on the internal network. Although this investment will certainly add additional layers of security which help reduce the school or company’s risk, education is by far the best tactic against the introduction of malware. One place to start is a discussion on how social media can cause infections.
Use of social medias at work can pose security risks to the organizaton’s intellectual property through an individual’s personal communication habits (e.g. clicking on poisoned URLs). If these malicious URLs are clicked on within the BYOD device, it could become infected and spread the malware inside the network.
BYOD Acceptable Use Policy
Situations like the above are why the network acceptable use policy is an issue that has been discussed in just about every HR department. It’s a serious subject that must be dealt with as ignoring the issue can lead to internet abuse.
An acceptable use policy needs to outline What Warnings should be given out. If you have ever dealt with our legal system, you know that you must have a paper trail prior to taking corrective action. Some organizations lay out what ‘may’ happen:
- restricted access or loss of access to the University Network;
- disciplinary actions against personnel and students associated with the University,
- termination and/or expulsion from the University, and
- civil and/or criminal liability
Depending on the venue, the above may be a bit to vague. Subjective consequences can lead to loop holes if an issue should escalate to litigation. Some businesses or schools may want to consider something like the following:
- 1st Violation: verbal warning and notification to manager
- 2nd Violation: written warning and notification to manager
- 3rd Violation: written warning and notification to manager
- 4th Violation: termination
Network management software shouldn’t be expected to do all of the heavy lifting when it comes to BYOD and mIAM. Personally I’m a fan of not blocking anything and encouraging employees to be responsible with the company’s internet connection and IT resources. If the consequences are clear and enforced, most responsible people will play by the rules and behave responsibly.