Information Security

 View Only

  • 1.  How do you handle employees using personal devices for business purposes.

    This message was posted by a user wishing to remain anonymous
    Posted 08-24-2022 04:46 PM
    This message was posted by a user wishing to remain anonymous

    We have a BYOD policy which states (I'm paraphrasing) employees should make a reasonable effort to keep work related communications and information separate from personal information, including voice, text messages, photos, and document images. Customers and prospects are encouraged to send work related communications to the employee's work email or phone number, etc..

    So, my questions are: Do you provide employees with a work cell phone?  If you do, how do you enforce compliance with your BYOD policy? We all know that customers tend to bank with us is because they know the bank employee personally. So, if the customer/prospect is going to call or text, it will be to the employee's personal phone number. How do you prevent that from happening? Do you ever lose employees because they don't want to carry two cell phones (work and personal)?

    I know there are a lot of other compliance and information/ security issues to consider if an employee uses their personal device for work purposes.  That's not what I'm asking.  

    Thank you!



  • 2.  RE: How do you handle employees using personal devices for business purposes.

    Posted 08-24-2022 05:45 PM
    We are moving from BYOD to a Corporate Cellphone plan. 
    I posted in a different thread the logic on along these lines. As there was a discussion about using "free" apps like whatsapp to communication with customers. Such a bad idea for many reasons. 

    In you BYOD do you also provide a reimbursement for employees using personal cellphones for work? We did. So under a Corporate plan, it saves us money. The stipend was $85... with a Corp plan I cut that cost by over half... :-) 

    But you also need to consider DLP solutions; and if you force in a BYOD the use of a sandbox for Corporate Apps you can kinda secure and control data. However, if the cellphones are used as part of your Salesforce, you want to and need to control the phone number as well. With turn over you want to redirect the former employee's phone number to the replacement staff member or the boss; even if just temporary. The relationship belongs to the Company not the individual. 

    I've carried two phones for work in the past; not thrilling, but I could also leave the work phone on my desk at my home office. In some ways better work life balance. But you'll likely find employees end up giving up the personal phone; and just use the company phone. Many see it as a benefit. You can still sandbox the Company Apps for better security controls. But now if you need to, you can brick the phone if necessary. 

    I highly encourage a corporate cell phone and only BYOD on an exception basis to be used rarely; and never for the Sales team...

    ------------------------------
    Bradley Martin
    ------------------------------

    Original Message


  • 3.  RE: How do you handle employees using personal devices for business purposes.

    This message was posted by a user wishing to remain anonymous
    Posted 08-25-2022 08:51 AM
    This message was posted by a user wishing to remain anonymous

    Thanks for your response, Bradley.  We have also discussed a Corporate plan, but that still doesn't solve the issue of employees using their personal devices for business purposes. How do you plan to enforce the Corporate plan?
    Original Message


  • 4.  RE: How do you handle employees using personal devices for business purposes.

    This message was posted by a user wishing to remain anonymous
    Posted 08-25-2022 12:50 PM
    This message was posted by a user wishing to remain anonymous

    Bradley is not alone with a "Corporate Plan". He is firmly in the majority. Most CISOs insist upon it. How to enforce "don't use personal devices"? Most companies use an attestation as part of any annual review of corporate policies required of their employees. Some are general "I attest that I will follow all company policies and procedures.". Some use specific attestations to cover sensitive/important items (like this one) and nevertheless also include the catch-all. The penalty for violation tends to be "up to and including termination". 

    Reality is that you cannot prevent the use of personal devices for business purposes. That creates a residual risk that most companies address as described above.
    Original Message


  • 5.  RE: How do you handle employees using personal devices for business purposes.

    This message was posted by a user wishing to remain anonymous
    Posted 08-25-2022 01:48 PM
    This message was posted by a user wishing to remain anonymous

    Bradley is dead right on the trend is back to corporate phones and plans.  Our bank do allow BYOD, but the phone must have all required bank security software installed and adhere to bank password policies (basically, the employee's phone becomes a bank phone with the exception that we allow them to load their personal apps and access personal emails outside of the bank's container).  All bank applications are in a corporate container, thus work and personal information is segregated and all work-related applications goes through bank encryption and servers.  The BYOD employees must also authorize the bank to remotely wipe clean the phone should it be lost or missing.  We also make all employees certify annually as to the appropriate business usage of work email, internet, and cellphones.  We have not lost any employees when we rolled out BYOD, and in fact, the employees who did not want to carry two phones was grateful for this option (despite the related hassles) while others just kept using two phones.  Surprisingly, not many employees took part in BYOD even though the bank reimbursed a set amount of cellphone bills every month.  So to us, it was a win-win policy.  Lesson for us was that employees complain and want the option, but not many actually took advantage of this option.
    Original Message


  • 6.  RE: How do you handle employees using personal devices for business purposes.

    Posted 08-25-2022 02:56 PM
    As Anon stated; we use an attestation/policy approach. 
    Managers will also be looking and email signatures and business card printing to ensure the Corp Phone number is being used; not the personal number. (In fact, when ordering business cards; we will auto populate from AD information.)

    Very good feedback in the thread. :-) 
    Thanks!

    ------------------------------
    Bradley Martin
    ------------------------------

    Original Message