Our voracious appetite for technology and social media has brought on a wave of employees, who would like to connect to work with their personal devices. This wave brings with it both opportunity and risk for those of us who are tasked with managing and securing business information.
This phenomenon has been going on for some time. Many of you have already made some adjustments for the BYOD or Bring Your Own Device movement, maybe without even giving it much thought. Some of your workers may have even gained access to your business network without formal approval.
What is Good about BYOD?
First and foremost, people tend to be more productive, if you let them work remotely on their own devices. For example, some choose to deal with the influx of email from their armchair in the morning or evening via iPads or tablet. It extends their work hours in a way that they choose, and makes them more productive during business hours. Secondly, many organizations are calculating the cost savings of allowing users to provide their own devices. This is most common for sales and other workers who work remote or travel. In addition, BYOD often creates a higher level of job satisfaction. This is particularly true of younger workers who view their device as an extension of their personality, or as a symbol of their tech savvy. Using their own device is actually a source of pride and satisfaction.
The downside of BYOD is quickly recognized, if you ask any IT manager. The traditionalist will say absolutely not. The dangers are many, with the biggest being theft of information. Depending on your business, this may be enough to stop you from going further. Other dangers relate to loss of production from viruses or spyware that come from unprotected devices, or even loss of time supporting devices that are not under the control of the company.
For most, there are ways to create a balanced strategy that allows for BYOD and address security concerns.
Top 5 Considerations for Creating a BYOD Strategy.
1. Create a policy to direct your actions and those of your employees. Include items like required password protection, limitation of stored data, restriction on sharing of the device with others, restrictions against jail-broken devices, anti-virus requirements, notification if device lost or stolen, allowed devices, and scope of support that will be provided by the company when issues arise.
2. Consider using mobile device management. Mobile device management is a way of controlling sensitive data on phones, tablets, iPads and other devices. It allows for remote support of these devices, GPS tracking, loss recovery, and even remote data wipe. Some of these features are built in to business grade mail servers, and some require an additional management tool that can be acquired through a monthly subscription.
3. Match your method of access to your security needs. There are several strategies for controlling data that reaches personal devices. The Federal Digital Services Advisory Group identifies three. The first is “Virtualization” which keeps all the data at the server level and does not allow any to migrate down to the user’s device. This offers the highest level of data security. The second is “Walled Garden”, which limits data on the user’s device to a certain designated area so that it can be easily controlled. The third is “Limited Separation” which is a more open approach that allows data to be comingled but puts policies in place to address security. Each of these requires different types of technology to implement.
4. Define your program. Is it voluntary or mandatory? Will you reimburse for data charges or for any part of device? Are all employees included, or just certain job classifications?
5. Make sure you are not violating any privacy requirements of your industry or customers. For instance, personal information like social security, medical, health, and credit card information should never be stored unencrypted on any machine whether company owned or a personal device. Protected information like health and financial information must be encrypted at all times. This can be accomplished with a managed disk encryption solution, but may be more difficult to implement on a personal device .
The BYOD demand from employees is challenging the best practices of data security that have been adhered to by IT professionals for years. This demand is in the rise, and will continue to increase as the workforce is impacted by a more tech engaged generation. For some businesses where security is paramount, preventing access by users from their own devices is still an absolute. However, with careful planning some businesses will be able to take advantage of a balanced strategy for BYOD.