If the answer is no then read on..
Bring Your Own Device (BYOD) is a phrase now commonly used to describe the latest paradigm shift to employees being empowered to utilise their personal mobile technology and other computing devices into the corporate IT environment.
Whilst this allows a greater flexibility for the workforce it carries with it a unique set of challenges and impact on the business.
This article attempts to describe some of the market drivers behind BYOD and the challenges it presents to an organisation in terms of management, controls, governance and licensing
What are the drivers?
In order to appreciate the challenges and risks that BYOD presents, it is important to recognise the trends and drivers of this relatively new but pervasive use of technology.
Until relatively recently the traditional IT paradigm has been fairly simple. IT provided employees with the tools for the job, so that in theory, productivity and security could always be managed, measured and maintained.
Typically, this meant employees were provided with a device or devices (desktop/laptop), and the relevant applications (e.g. “Office”,” Acrobat”) and any others that met specific IT standards and conformed to an approved or authorised list agreed by the business.
By the mid noughties, things started to change. A new trend in IT began to emerge that stood in a juxtaposition to the norm.
This was primarily due to two factors:
- The adoption of mobile (Smart Phone & Tablet) technology
- The desire to use social media.
Suddenly employees were bringing in personal mobile devices that could store data and information in text, sound and graphical formats.
Users were all of a sudden able to utilise social media and store all sorts of file types, they could also “freely” use applications and share data across the network with other users.
This required a change of mind set for CIO’S. CTO’s and IT/IS managers in terms of how to embrace this new phenomenon without it becoming a huge administrative burden in terms of IT Asset Management (ITAM), productivity, security & compliance etc. As an example most IT departments viewed social media as a frivolous pastime and a drain on employee productivity. However, this soon started to change as news started to filter through that social media could actually enable worker efficiency and productivity by allowing employees to share, collaborate, and communicate in a much more agile manner than by just using the more traditional corporate applications.
Working 9-to-5 was fast becoming a thing of the past. People didn’t need to be sat behind their desk at the office to be productive and communicate any more. The corporate world was now global and 24/7. This means workers can work anytime and anywhere and strike up their own work life balance that is not dictated by the location or a clock.
What are the challenges?
What we have seen in effect is a trickle down effect. BYOD started at the top with C-Level managers as they tended to be the first to adopt working from home, flexible hours and working abroad. Initially this wasn’t seen as a major problem as it was relatively only a few people in the organisation that needed or requested it. Now however, it is common across all organisational departments and this has caught IT departments with their “trousers down” metaphorically speaking of course, but it means that many don’t have sufficient policies and controls to cope with the diversity of capability, functionality and non-standardisation of the BYOD devices being used.
BYOD brings challenges to traditional IT controls to minimise and mitigate risk.
As businesses somewhat blindly adopt BYOD, the risks associated with it must be assessed and mitigation plans put in place. Risks of data integrity, data loss, and security vulnerabilities are all cited as real issues for organisations introducing BYOD. These are challenges everybody adopting BYOD will face and robust policies in these areas are essential to ensure levels of controls are in place to mitigate the risks
IT is also challenged with having sufficient insight as to what is happening in their network. Without being able to see what is going on in the corporate network, IT is hindered in its ability to protect business and information assets.
That lack of insight in terms of asset management across all corporate and personal devices means that controlling risk, cost and compliance is all the more difficult.
Here are a few things to consider when considering BYOD
Business Intelligence: Obtain an snapshot of what you have. Utilise any inventory and usage information you can to provide the data you need. You will need to know about devices that are connecting to the network, who uses them and what applications are being used. There are good Software management & ITAM tools out there that can help you find the devices you have, recognise the software on it and control the applications available to it.
Establish policies: You should consider making a list of acceptable devices that can access the corporate network. Additionally, IT should also state which devices/operating systems/applications that it will and will not support.
Acceptable use: In accordance to standard security practices, companies should always enforce minimal access controls. In other words, even with BYOD, a strong security policy would be to deny all, except for approved devices, applications and users. Every business will be different. Therefore, it is critical to know in advance what your security policy is with regards to access controls.
Separate work and personal: Include in the policy that work information should be kept separate from personal information wherever possible. Consider making it a standard procedure that when employees access the corporate network on their own device that they also agree to adherence of company acceptable use policies, as well as IT monitoring and inventory management tools.
Establish or embed into an overall IT asset Management (ITAM) strategy your Mobile Device Management (MDM) strategy and incorporate it with other relevant strategies around Hardware & Software Asset Management, to enable you to manage all users and devices and any underlying software that is installed on or accessed by them.
Look beyond the device: Application control strategies can play an important role in making a BYOD policy secure and efficient. Make sure your BYOD policy also includes specific applications that are acceptable as well as others that are not. With application controls in place you can enforce policies based on specific, acceptable and unacceptable applications.
Apply policy to a segmented network: Sensitive data should always reside on a different network than that which is open to guests, contractors or other non-employees. With a segmented network, IT can apply one set of policies for employees and another set for guests.
Understand compliance: Examine what else is at risk. Is your organisation subject to regulatory controls, such as HIPAA or PCI DSS. Are there processes and procedures in place so that if an employee loses a smartphone or tablet, it can be wiped to avoid data loss?
Companywide notification: Is absolutely critical for avoiding legal liabilities. Make sure your BYOD policy is regularly communicated to all employees. Have a written policy that states what rights an employee gives up in order to gain access to corporate resources with an employee-owned device.
BYOD is a major technology trend that is dramatically changing the way we view IT. BYOD is a force that is here to stay, and by all expectations, is expected to grow in size and scope. With this, comes a whole new set of challenges and opportunities for businesses as well as their IT departments. This new BOYD paradigm incorporated with a change in the way businesses provide IT services to end users through on premise, virtual, hosted, public/private cloud platforms, is adding a new layer of complexity to the way we need to manage all of our IT assets.
Crayon is at the forefront of ITAM and Software Asset Management and is a global leader with over 15 years’ experience in assisting organisations with strategies to manage and optimise assets.