A growing number of businesses and other organizations are allowing, encouraging, or even requiring employees to use their own personal devices such as tablet computers and smart phones at work. This strategy lowers capital costs for the business and provides a positive benefit to employees since in many cases they end up carrying fewer devices, instead of a personal smart phone and one that belongs to the business; they simply carry the former. The state of Delaware has been at the forefront of the trend toward this model. "We're thankful that we were able to get out a little bit in front of it," commented Elayne Starkey, who serves the state as its chief security officer.
Starkey cautions, however, that strict controls are needed to keep personal devices from compromising the security that exists on the computer networks that are owned and controlled by the state. Starkey specifically recommended several security controls that could be implemented as part of a managed programs model of IT support.1. Strong passwords
Many employees had already secured their devices with a personal password, but a simple 4-digit code is far from secure enough to make the devices appropriate for use on government networks that contain literally thousands of files filled with personal information. A strong password system, centrally managed through a managed programs approach, would require longer passwords that contain combinations of lower and upper case letters, numbers, and typographical symbols.2. Timeouts for inactivity
Lost phones that are logged onto a cloud services site are a potential security hole. Phones in Delaware are therefore set up with an automatic timeout when they become inactive. This helps to make sure that when phones are found by strangers, they are no longer connected to state systems.3. Remote wiping
An even stronger security protocol for lost devices is the ability to wipe their memories remotely so that even a dedicated hacker would find them worthless as an intrusion tool.