BYOD as a strategy may well prove to be an answer to many questions being posed to businesses the world over, but do we now consider it a safe option? By Ed Macnair, CEO of CensorNet
Mobile phones at work are not a new phenomenon. Nor are smart phones. In May 2013, Gartner published an analyst view that, by 2017, up to 60 percent of businesses will have adopted a BYOD policy of some description.
The CensorNet white paper, “BYOD, is the big bad wolf dead?”, examines the current rationale for BYOD, and tries to answer the questions of whether it really is a viable option and has that big bad wolf been tamed and transformed into an “app shaped pocket sized pampered pooch”?
Contrary to the hype, the speed of digital surprised everybody. There can be no argument that the digital world is rapidly changing at unprecedented speed. For many CIOs, it really is a question of adapt or be left behind by the business they aim to support. We no longer care what the badge on the software says or who the vendor is in most cases. Many business users have grown up knowing nothing else but digital technology and all that it offers. They see the IT market as a supermarket; its shelves full of packaged services and products that they can choose for themselves. After years of exalting the virtues technology could potentially deliver, the hype has become the reality.
An IT department is increasingly being perceived as something that introduces unnecessary delay. Obstacles previously regarded, mainly by a protective CIO, as barriers to technology adoption, are either being brushed aside or aggressively challenged by an ever-savvy user community.
The fact is that the digital children are just as, if not more, familiar with the new technologies than many of their IT counterparts. You’re more likely to hear “I’m going to anyway”, rather than “May I?” because that way, the job gets done, but at what cost?
So, can a business manage applications on a multitude of mobile devices to limit the risk and let the benefits of BYOD live and breathe in a way that can really work in the real world? The answer is “yes” and a good place to start is with governance. Whichever sphere of IT is being studied, the presence of good governance, as opposed to weak or no governance, is a good indicator of how seriously an organisation takes risk mitigation and asset management.
Good governance is not about lip service; it is about achieving a balance between protecting the company assets and facilitating ease of use for their employees.
CensorNet, whose solutions are distributed in southern Africa by Networks Unlimited, is experienced in helping organisations to step up to the challenge of managing the rise of cloud applications in an increasingly mobile work environment.
In order to make BYOD less daunting, it recommends careful scoping, clearly defined policies and support guidelines, and right software acquisition, that:
- Ascertain which information or data must be protected and access controlled.
- Decide which devices accessing that information or data are controllable, given what we know about today’s market.
- Review which operating systems are in and which are out.
- Identify a key part of the business that may see immediate benefits from BYOD.
- Look at a few trusted employees who can act as part of a proof of concept exercise (POC).
- Pinpoint the software and licenses required to implement BYOD.
- Decide how devices will be monitored and by whom.
- Consider using company devices in a POC before deploying to employee personal devices.
- Review which technical skills are required.
- Pick a suitable application to deploy that will pose less of a security risk.
One important step is to defining what a BYOD policy looks like. It is best thought of as extending and enhancing web policies that prevail, assuming a company has any, within the perimeter of the organisation. Ask questions such as:
- What are the liabilities of the company and what are the liabilities of the employee?
- Can the policy be legally enforced?
- What happens if a device is stolen?
- If data is lost, will the employee be liable for a fine or disciplined, and how will the rules around that be defined, for example, what defines culpability on the employee’s part?
- How will the standing orders of the Data Protection Act be enforced?
- What will an employee have to agree to, for example, installing of monitoring software, security protocols and so on, on their personal devices?
- Are there any restrictions on private apps that are known issues and can these be defined as deal breakers in allowing specific employees to take up the BYOD opportunity?
- What about private apps on the corporate network? Are they allowed or is a complete ban required?
- How is data to be managed?
- Are there minimum specifications for the devices? For example, must have ‘n’ gigabyte capacity?
- Is there to be a compensation package for using personal devices, such as when an employee breaches their provider’s data limits?
- How is personal data protected from corporate access?
Support guidelines go hand in hand with any policy. Having access to both the policy and support protocols is a must, especially considering these are devices that may be functioning across the Internet.
Guidelines need to be simple, clear and easily accessed. If a user has issues, the more they can self-diagnose the better. After all, they may well understand the device in more detail than the IT support services.
To conclude, there are software options that will facilitate ensuring management of a BYOD paradigm is less fraught with issues, particularly around security of data. Knowing the user will inevitably resist any new form of software on a personal device, the reality is that the solution needs to be network based if it is to be successful.
Protection also doesn’t mean prohibiting the user, but the ability to identify, capture and manage any unusual activity that may compromise the organisation through use of a personal device. There is a fine line between an invasion of privacy and an airtight solution that protects the integrity of company data.