I was recently talking with the CISO of a very large technology company about their BYOD policy. Apparently for years the policy at the company has been grounded in the academic roots of the original founders where folks could bring their own devices to work and hook them to the corporate network. He had recently taken over as CISO and was planning on changing this so folks couldn’t bring their own devices. He knew he was going to have an uphill battle but with the ever growing threat landscape having such an open BYOD policy didn’t make sense.

 In my own career I’ve worked at major technology companies and in these cases the BYOD policy only extended to smartphones. Corporate security wasn’t wild about the BYOD policy with smartphones but the users were demanding it and having users connected to the corporate unified communications system was a big boon for productivity so that knowledge workers could always be connected to work via email, calendaring and chat.

 This is an area that is evolving rapidly but CISOs must be very cautious. Losing control over the corporate desktop will open corporate networks to botnets and other forms of attack that we can only imagine today.

 So what should the CISOs and CIOs of the world do? Well they need to have some clear policies first as just letting anyone connect to the corporate networks would be chaos. Some good policies that I’ve seen and I’ve put in place myself:

1.      Classify your corporate data.  If you don’t know what sort of data or resources you’re trying to protect or where that data is BYOD is a really bad idea have at least three types of data classification:

• High Importance Business Data “HIBD”  (Finance, HR, IP)
• Medium Importance Business Data “MIBD” (most corporate email, most corporate policies, employee-facing HR policies)
• Low Importance Business Data “LIBD” (sales and marketing literature, documentation, etc)

2.       Have zones of security

• Once you know where your data is you can then have a BYOD policy. Perhaps BYOD is ok for MIBD and LIBD but not HIBD. You’ll need to come up with what you think is right
•  Even if you decide only LIBD is ok for BYOD this may be good since it could be that 80% of your employees deal with LIBD alone.

3.       Define and only allow BYOD folks to connect to certain resources

• Email
• SIP / VOIP resources
• Corporate chat
• Some level of corporate Intranet

Basically what CIOs and CISOs need to make sure is that they have a policy. You don’t want any device connected to your corporate network and what devices you do have connected you need to make sure they are in a zone that only has access to data that you feel comfortable with them accessing.

Know where your critical corporate data is and protect it!