BYOD: User Policy Considerations
Questions and key points companies should consider when establishing BYOD policies.
Not everyone is a fan of bring your own device (BYOD). Security executives - CSOs, CISOs - aren't totally sold on the practice. A survey from a company called Wisegate showed that 6 percent of CSOs said that the whole idea of BYOD "gives them a headache and they wish it would go away."
I suspect a lot more than 6 percent feel that way but they understand that employees from the CEO on down are using their own devices for work and it is better to have some strategy in place. So, to the survey question: "What is your position on securing mobile/handheld/tablet devices which your workforce uses (especially 'bring your own device')?" Twenty-seven percent answered, "We will only allow fully managed and secured devices to utilize corporate services," while another 24 percent admitted that they didn't think the devices could be secured and decided to focus on securing the most sensitive transactions.
Another interesting question from the survey asked about the devices and platforms employees could use to access corporate email. The vast majority of those surveyed were in agreement that iOS and Blackberry platforms were just fine for corporate email, but not even half gave the thumbs up to Android. In fact, 71 percent of those surveyed said they don't want the Android platform in the work place. This could create a very interesting dilemma, as Android phones are rising in popularity across the private sector, while Blackberry is falling by the wayside.
37 percent of IT decision makers reported that their business had unintentionally exposed corporate data through theft or loss of removable devices in the past two years. Despite this, only 34 percent enforce encryption on all removable devices allowed on their networks (25 percent in the U.S. and 51 percent in Canada).
The fact is that BYOD is here to stay. According to the Imation survey, 91-percent of IT managers let employees use devices, such as USB sticks, iPhones, iPads etc., while only 81 percent have policies regarding security of these devices. Yet, only a third actually enforce those policies.
I think the BYOD security concerns mirror the overall issues with security in the enterprise setting. IT managers and CSOs need to be on the same page when it comes to security management. Who is enforcing the policy on issues like encryption, and how are those policies being trickled down to the employees?