BYOD – Disaster or genius ?

Bring Your Own Device (BYOD) for Enterprise

In the U.S. 40% of employees in large enterprises use their personal devices for work and that number is expected to increase threefold by 2020.

While the age of enterprise mobility is well and truly upon us, the concept of ‘Bring your own device” or BYOD is just beginning. BYOD is the scenario where an organisation enables its employees, and  contractors etc.to use their own devices to connect to the enterprise. Traditionally a company issues devices that are provisioned and maintained internally by the IT department.  BYOD can substantially benefit the organisation, but if not managed properly could be detrimental to your business.

Bring Your Own Device scenarios can increase productivity while lowering the barriers to enterprise mobility adoption. Using a device familiar to the user improves the user experience as takes away stress related to the change in work practice. Another huge factor is Improved workplace flexibility, and this leads to increased loyalty, high morale and employee engagement. BYOD also extends the reach, connectivity and collaboration of the organisation beyond its employees to contractors for example that depend heavily on certain information and systems to do their job safely and more efficiently. Without which many external stakeholders simply have no access to the systems and data they need. A world of paper-based processes and forms emerge where back office dependencies morph to unacceptable proportions.

Besides alleviating this, adopting a BYOD principle also has the potential to reduce hardware costs and reliance on support resources to the tune around $4200 AUD/year/device to be exact

However, BYOD can also introduce new risks to an organisation’s business and the security of its information which need to be carefully considered and managed before implementation and wider addoption. Lets take a look at some of the key BYOD considerations and risk minimisation strategies for Chief Information Officers and other senior decision-makers.

Initial considerations:

1. What are the legal implications? Legislation such as the Privacy Act 1988, Archives Act 1983 and Freedom of Information Act 1982 can affect whether an organisation is able to implement BYOD in their environment. BYOD can increase liability risk to an organisation and organisations will need to be prepared to handle issues such as software licencing, employee’s personal data protection, privacy and responses to related incidents.
2. What are the financial implications? Organisations implementing BYOD may seemingly benefit financially, However without the correct toolset and management framework in place, there can often be an overall cost increase as a result of the need to technically support and manage a variety of devices and software platforms. Secondly when buying software, you will need to ensure that is works – both on current device types and operating systems and future releases as well.
3. What are the security implications? Devices storing unprotected sensitive data could be lost or stolen. How can you tell who is connecting to your systems, what device they use or what software they run? How can you manage and control who gets access to what, Or manage the change when access requirements, roles and positions change. Without the right tools, organisations can struggle to manage devices and control access to corporate data on ‘bring your own devices’. This is exacerbated by the fact that employees will often lack the technical skill and motivation to reduce security risks.

The main risk considerations in enterprise mobility, including BYOD, can be summarised in the five ‘P’s of enterprise mobility – purpose, planning, policy, polish and platform.

• PURPOSE – Determine whether there is a justifiable business case to allow the use of employee-owned devices to access and capture information. What information do your users need access to? How and where will users require access to this information. Do you have a contractor workforce that could benefit from direct access to certain information that’s might currently not be available to them? What benefits and efficiencies can be gained by embracing a larger mobile workforce ? e.g. shorter billing cycles, less resources and less time ?

There are some significant gains to made adopting BYOD, including significant reduction in expensive technical resource required to manage and provision devices, Significant hardware cost reductions and improved user experience. Organisations should use a risk management process to balance the benefits of BYOD with associated business and security risks.

• PLANNING – Any change in work practices will mean an impact to the user. Consider outlining the major change impacts to your organisation and work out risk mitigation strategies for each impact. The change is after all a human one and if such changes are not planned carefully, this could seriously affect adoption and success rates for this and all future initiatives.
• POLICY – develop and communicate a sound usage policy. This should be based on the risk assessment and business case and clearly communicate the expected user behaviour. Establish what financial and technical support employees can expect to receive. Be consultative in your approach – the most effective scenarios are jointly developed by business and legal representatives, IT security staff, system administrators and employees/users themselves. This helps ensure your organisation develop a realistic policy and processes which all stakeholders are willing to adhere to.
• PLATFORM – Ensure that your business has the right tools and support to securely and effectively manage the mobile ecosystem. The technology platform you select will underpins all of the above. Overall the ability to easily separate work from play on a users device and account for the business practice will prove invaluable in the end.

In particular, seek answers to the following questions:

1. How do we protect our sensitive or classified information from unauthorised access? For example, does your organisation keep sensitive or classified information in a data centre or on employee’s devices (e.g. through use of a remote virtual desktop)? The ability to control the exact data exposed to a device using target provisioning, and management functionality including remote wipe and black listing devices will offer control and an added level of security. Audit reporting of traffic and logging will help respond to incidents.
2. How do we protect the device and associated network from malicious software? For example, is the employee’s personal operating environment separated from the work environment on the device (e.g. through use of a managed container)? Does your organisation require the ability to offer remote software updates? Do you have the ability to accurately determine which users are running which devices and software ?
3. How do we reduce the risk caused by lost or stolen devices? For example, does your organisation have the technical and legal ability, and user agreement, to remotely locate or wipe a device? Are employees required to regularly backup work data created on their device, or do you need the tools to support instant synchronisation of data.
4. Does this new software cost me the Earth – Make sure that BYOD does not become to complex and costly. Is a cloud service available that gives me the access, and digital tools required to effectively manage my mobile ecosystem. What is the time to implementation and scalability options available?