Over the course of the past several years business leaders have evaluated and implemented the bring-your-own-device (BYOD) movement as a cost-effective methodology to preserve or reduce information technology (IT) operating expenses. In the quest to reduce these operational expenses, one might overlook the need to have a robust BYOD policy. A policy of this order addresses not only the technological issues associated with individual use of a personally owned device but also any procedural and data ownership issues. In essence, a policy document levels the expectations between company and employee.
The prevalence of BYOD is growing exponentially. In 2013, Juniper Research recently predicted more than one billion BYOD users by 2018, a number expected to equal approximately 35 percent of all consumer mobile devices. It is unlikely that every one of these devices will be used in accordance with the company’s expectations, but small to medium businesses (SMBs) should integrate their technological solutions and policies and ensure that they are commensurate with their available resources, thus making their BYOD policy a foundational item by coupling it with existing information security policies and other regulatory requirements.
Everyone has policies?
A recent study by Help Net Security indicates, “the majority of C-suite executives (92%) and just over half of small business owners (SBOs) (58%) have at least some employees using a flexible/off site working model. Yet, only 31% of C-suite executives and 32% of SBOs said they have an information security policy for both off-site work environments and flexible working areas in place.”
Whereas, Dell UK Security is spot-on, as detailed in the above video, the use of BYOD is a mainstay. Rare will be the company that does not want their workers to use their own devices.
There is a great deal of work to be accomplished by many companies, who are allowing convenience to trump their security.
Policies Are Married to Technology
In creating the BYOD policy, no assumption should be made by IT professionals or systems administrators regarding the technical acumen of their colleagues who are participating in a company’s offering. The aforementioned Juniper survey noted how 80 percent of smart phones will remain unprotected throughout 2013. In face of so sobering a data point, midsize businesses must implement a technical engagement protocol. The goal is to provide the best possible solution to protect company data today via a secure technological implementation and a road map to a better solution.
Technological solutions cannot stand alone; they must be coupled with appropriate BYOD policies, policies that protect the company’s intellectual property, trade secrets and customer data. At the same time, the policies should not be overly restrictive of how employees may use their device nor overly broad with granting the company access to the employee’s personal data. It may appear to be paradoxical, but an excessively strict policy implementation could in fact put the company at risk of accusation of unfair labor practices, according to a recent piece in CIO; not only that, but many employees faced with highly restrictive policies will seek unsafe workarounds. This is clearly not the purpose of a policy, which is to improve BYOD risk management, not add to the risk.
An effective BYOD policy engagement will begin with who owns what on the device, under what circumstances the company may access the employee’s device and how that access may occur. Any specialized applications or capabilities as part of the IT BYOD management suite that will be placed on the employee’s device will be identified. These applications may provide the company with an assurance of security through mandatory encryption or remote destruction capabilities. Regardless, it is incumbent upon the implementation team to tender an explanation of what data on the employee’s device the company’s required applications are accessing and how. Similarly, IT’s obligation to declare to the employee with specificity any prohibitions of placing third-party applications on the device that accesses company data should be spelled out with crystal-clear clarity.
As nice as it would be to open BYOD implementation to any and all devices, it is reasonable for the SMB to restrict BYOD to those devices that their IT department is able to support. The last step is to have the policy presented to the employee, signed by both the employee and the company’s representative and periodically revisited with each individual user on a semiannual basis. This will not only keep the company’s expectations top of mind, but IT leadership will also have a window into any hiccups in the technological or policy implementation; the latter is information that could go a long way toward achieving the principal objective of BYOD: To enable business to be conducted in an efficient and secure manner.
A desired outcome of any BYOD implementation is to conserve operating expenses, and cost of implementation is therefore a consideration. The Sans Institute white paper, “Managing the Implementation of a BYOD Policy,” provides an effective road map for a pilot BYOD project which can be implemented with little to no additional resources.
There are a plethora of mobile device management suites available from a variety of security vendors. Use one.
All the same, those who rush to embrace BYOD in order to save expense but who fail to ensure that implementation is accompanied by appropriate IT policies and infrastructure that pass legal muster may prove themselves to be penny wise and pound foolish.
A prior version of the above piece, authored by Christopher Burgess, originally appeared on IBM’s MidsizeInsider blog.