Every day, an increasing number of people are beginning to use their own handheld devices in their work environments. This trend, known as BYOD (bring your own device), is altering the current IT environment in a big way. This year alone, 56 percent of business smartphones shipped will be employee-owned, with that number jumping to 85 percent in 2016.
But with all these new unmanaged devices being brought in to organizations, IT teams must ensure that each is secure and safe to use on their networks. Before the days of smartphones and personal devices, IT departments faced a multitude of challenges in guarding their networks and data from loss or theft, and that was when all the devices stayed within the walls of the organization. Now with BYOD, employees do what they want on their devices with security concerns as an afterthought. Unless they have proper safeguards, these mobile devices become more vulnerable to attacks than a PC.
Developing a successful BYOD plan does not come easy. An organization must think beyond the technological challenges; it must address business policies, legal policies, management processes and governance as well. Different organizations may take unique approaches to BYOD but should consider and address each of the following issues.
Essential 1: Knowing Your Business and Regulatory Processes
Before it can implement an effective BYOD strategy, an organization must first understand its business, legal, technical and governance departments, and how those teams function with the devices already at their disposal. Then it must think ahead to what issue could arise when integrating employee-owned devices. Key questions to ask include the following:
- What does the company seek to gain from BYOD?
- What unique divisions does the organization have?
- What information and applications need to be accessed by each division?
- What level of security will be applied to this information?
- What are the data-usage requirements for each division?
- What are the regulatory and compliance requirements for the industry/organization?
- For global organizations, what are the country-specific laws?
- What travel requirements and other environmental factors need to be considered?
Once an understanding of the current environment and future requirements is in place, the organization can then draft its BYOD policy framework.
Essential 2: Creating a Protocol Foundation
Given an understanding of user and security requirements, a basic protocol can be created to address the following business policy questions:
- Sourcing: Where did the device come from? Was it a preferred vendor or some random source?
- Geo-fencing: It may be that security or data-use needs require policies to govern device use in predefined geographical areas. Everything might be allowable in your native region, but in other areas restrictions might apply that govern data-usage levels, data-access levels or both.
- Supporting devices: This is one of the most important but often overlooked aspects of a BYOD policy. Expecting your IT team to support every device that could be purchased by employees is unrealistic. IT will need to determine which devices it is able to support.
- Bandwidth throttling: Organizations must determine how to allocate employee demand for bandwidth across a broad swath of locations, roles and usage volumes.
- Business support vs. personal support: Organizations must determine the extent to which they are willing to provide technical support for an employee-owned device that accesses personal data and applications as well as business data and applications.
- Device loss: Device loss or theft is a fact of life. As such, the organization should have a thorough plan in place for how to protect (or remotely wipe) data on a device if it goes astray.
- Reimbursement: How will organizations reimburse employees? A broad range of options exists, from total coverage of devices and unlimited data to reimbursing employees for data expenses up to a certain preset level.
Essential 3: Protecting Against Legal Liabilities
By introducing employee-owned devices in the workplace, an organization may also create legal issues. Policies that sidestep risk must be outlined in advance to avoid costly mistakes.
- Rights: The legal rights of employees and organizations differ from country to country, and organizations must recognize them to meet applicable regulatory and privacy requirements.
- Responsibilities: Does an employee using a device with corporate apps and data have a responsibility to protect the device? What if precautions are not taken to protect the device? What if they are, yet information is still compromised?
- Liability: Is the company liable if some action on its part results in the loss of private data? What is an employee’s liability for corporate data loss? What if the employee is following the required security policy, like password protecting the device; does that remove liability?
- Privacy: What steps will a company take to protect the privacy of the employee?
Essential 4: Preparing for Security and Technical Issues
Technical issues come with the territory of BYOD implementations. Regardless of the organization’s specific needs, it should consider the following security requirements as part of any comprehensive BYOD strategy.
Device acquisition: Technical considerations often influence device-acquisition policies. Hardware or OS requirements may favor the purchase of particular devices or the selection of a particular vendor, or they may require a particular vendor to supply devices that have already been provisioned to the organization’s specifications.
- Security: One of the most challenging technical issues in BYOD is balancing security and risk. A successful IT strategy for BYOD security might involve different security policies and technologies for different user segments. Employing different policies for different user segments can be complicated, as the spider chart to the right shows.
- Device partitions: A growing number of devices are designed to support multiple user personas. Secure containers can also be used to isolate the data and applications associated with each persona.
- Application management and development standards: Management policies must be established to ensure the proper level of control for each app according to its sensitivity and use. This container/composite app model can greatly simplify app provisioning and maintenance.
- Data access: Data-access policies must also be established. The enterprise will need to determine a number of factors, such as whether it will offer Wi-Fi to supplement broadband access and, if so, what levels it is willing to support.
Essential 5: Making a Plan for Effective Installation
Employee ownership of devices creates a unique set of challenges and requirements when it comes to policy implementation:
- User profiles: A solution must be in place to link each individual employee with his or her user profile—ideally on the basis of an AD/LDAP access-control system and the set of policies around individual membership in groups and group access to various data and apps.
- Self-provisioning: The most obvious challenge with employee-owned devices is that the company seldom has access to the device; therefore, it must implement measures to enable employee-owned phones, tablets and other devices to be provisioned by the users themselves.
- Employee self-service: Since it’s typically either impractical or impossible for organizations to take possession of employee-owned devices, it is essential that employees are able to provision and service devices through a “single self-service window.” Device and data-plan management, usage tracking, and access to authorized corporate applications should be included.
- Auto-certification: With employees connecting to the network and provisioning their own devices, the enterprise must establish the process for automatically certifying that the device has a container and is consistently connecting through that container.
- Teleworking: An organization’s virtual desktop and unified communication strategy should extend to mobile devices.
Essential 6: Staying on Top of Your BYOD Policy
For an organization’s BYOD policy to be effective, it must be able to evolve as new issues come to light. To do so, a governance model is necessary, such as one that measures and monitors factors like costs, security breaches, lost phones and jailbreaks. An effective BYOD plan requires a strong model of governance. Without one, BYOD could become more of a problem than the solution it is meant to be.
By leveraging the unused potential of employee-owned devices, organizations seek to increase the effectiveness of their daily transactions while reducing costs. To do so, the organization must have a strong understanding of its current business environment and the effects BYOD would have on its day-to-day practices. Furthermore, it must implement a clear and updatable set of policies for governance and security. The age of BYOD is here. By following the steps above, any organization can take full advantage of the potential benefits of a successful BYOD implementation.
Leading article image courtesy of ajleon
About the Author
Sam Ganga is Executive Vice President, Commercial Division, for DMI. Under Sam’s leadership, DMI’s Commercial Division has developed the world’s most comprehensive set of mobile enterprise solutions, including mobile strategy, mobile managed services, mobile app solutions and integrated vertical solutions for retail, financial services and health care. The group has more than 500,000 mobile devices under management and has developed more than 400 mobile applications in the last 12 months. DMI Commercial Division also offers big data insights solutions that provide better insight, for better decisions, and better performance to leading Fortune 500 companies. Before joining DMI, Sam was the founder and president of Leverent Consulting, a professional-services company that provided technology solutions to commercial and government clients.