Volunteer Week in the UK is a great time to reflect on the invaluable contributions of volunteers in the not-for-profit sector. As an IT Managed Service Provider, we understand the unique challenges that come with managing and supporting devices used by volunteers. These are often personal laptops and phones which can pose significant security risks if not properly managed.
Here, we provide practical advice, security controls, conditional access rules, and IT policy guidance to help charities effectively manage personal devices used by volunteers.
Practical Advice
- Implement a Bring Your Own Device (BYOD) Policy: Establish a clear BYOD policy that outlines the expectations and responsibilities of volunteers using their personal devices. This policy should cover acceptable use, security requirements (aka ensuring devices are up to date, use a password to log on, and have antivirus installed), and the consequences of non-compliance and/or IT’s ability to remove corporate data if needed.
- Provide Training and Support: Volunteers may have a lower IT skillset, therefore it is important to offer basic training sessions on best practices for security, such as recognising phishing attempts, using strong passwords, and updating software regularly. Ensure that volunteers know how to access IT support when needed. Smartdesc also offer free Microsoft 365 training here.
- Use Mobile Device Management (MDM) Solutions: Implement MDM solutions like Microsoft Intune to manage and secure personal devices. MDM allows you to enforce security policies, remotely wipe data if a device is lost or stolen, and ensure that devices are compliant with your security standards. Intune is included in most Microsoft 365 licenses such as Business Premium and E3. If you would like licence advice, please get in touch.
Security Controls
- Data Encryption: Ensure that all personal devices used by volunteers have encryption enabled. This protects sensitive data in case the device is lost or stolen. Microsoft Bitlocker is included in most license types and covers this.
- Multi-Factor Authentication (MFA): Require MFA for accessing charity systems and data such as your CRM. This adds an extra layer of security by requiring volunteers to provide two or more verification factors to gain access.
- Regular Security Audits: Conduct regular security audits to identify and address vulnerabilities in your IT infrastructure. This includes reviewing access logs, checking for outdated software, and ensuring compliance with security policies . We can help run vulnerability tests on your web applications, and penetration tests on your IT estate.
Conditional Access
A sub-set of security controls that allow you to set certain policies before a device can connect. Again, Conditional Access is included in most Microsoft licenses – they just need configuring to a best practice state. Here are a few examples:
- Device Compliance: Set conditional access rules that require devices to meet specific compliance criteria (e.g. device must be up to date, not running an unsupported operating system) before accessing your resources. This can include having the latest security updates, encryption enabled, and a passcode or PIN set too.
- Location-Based Access: Restrict access to sensitive data based on the location of the device. For example, only allow access from within the UK or specific trusted locations.
- Application Whitelisting: Implement application whitelisting to ensure that only approved applications can be installed and run on personal devices. This helps prevent malware and unauthorised software from compromising the device.
Microsoft Intune: Non-Intrusive Device Management
Microsoft Intune is a powerful tool for managing personal devices in a non-intrusive manner. It allows charities to maintain control over their data and applications without compromising the privacy of volunteers. Here’s how Intune can help:
- Seamless Enrolment: Intune offers a variety of enrolment methods that are designed to be user-friendly and non-intrusive. Volunteers can easily enrol their personal devices through a simple process that does not require extensive technical knowledge. This ensures that the enrolment process is smooth and does not disrupt the volunteer’s activities.
- Personal and Corporate Data Separation: Intune allows for the creation of separate profiles for personal and corporate data on the same device. This means that volunteers can use their personal devices for charity work without worrying about their personal data being accessed or monitored by the charity. Corporate data is sandboxed and cannot be synced offline, ensuring that it remains secure.
- Block Downloads: Intune enables the implementation of conditional access policies that can be tailored to different scenarios. For example, a policy might allow full access to corporate resources on managed devices while restricting access on personal devices to web-based applications only without the ability to download your data offline on the personal device. This helps prevent data leakage and ensures that sensitive information is only accessible through secure channels.
- Remote Management and Security: Intune provides the capability to remotely manage and secure personal devices. This includes the ability to enforce security policies, deploy applications, and remotely wipe corporate data if a device is lost or stolen. Volunteers can rest assured that their personal data remains untouched while the charity’s data is protected.
- User-Friendly Experience: Intune is designed to provide a user-friendly experience for both IT administrators and volunteers. The platform offers intuitive interfaces and clear instructions, making it easy for volunteers to comply with security policies without feeling overwhelmed. Enrolment of the personal device is done by downloading the free “Company Portal” app and logging in. This helps foster a positive relationship between the charity and its volunteers.
IT Policy Guidance
- Acceptable Use Policy: Develop an acceptable use policy that outlines what is and isn’t allowed when using personal devices for charity work. This should include guidelines on accessing sensitive data, using public Wi-Fi, and downloading applications.
- Incident Response Plan: Create an incident response plan that details the steps to take in case of a security breach involving a personal device. This should include reporting procedures, containment measures, and communication protocols.
- Data Protection and Privacy: Ensure that your IT policies comply with data protection regulations such as the General Data Protection Regulation (GDPR). This includes obtaining consent from volunteers to process their personal data and ensuring that data is stored and transmitted securely.
Conclusion
Managing personal devices used by volunteers within charities requires a comprehensive approach that combines practical advice, robust security controls, conditional access rules, and clear IT policies. By implementing these measures and leveraging tools like Microsoft Intune, charities can mitigate the risks associated with personal devices and ensure that their valuable data remains secure.
As we celebrate Volunteer Week, let’s take the opportunity to strengthen our IT practices and support the incredible work of volunteers in a safe and secure manner. Speak to us today if you would like support in implementing any of the above.
