BYOD: User Policy Considerations
Questions and key points companies should consider when establishing BYOD policies.
The consumerization of IT/bring-your-own-device movements - they are largely the same trend, with some differences around the edges - is the big story in corporate communications. Just about everything else can be seen through the prism of BYOD/consumerization.
Besides being so important, it is unstoppable - people bring their devices to work, whether the boss likes it or not - and extremely challenging. Some interesting research is emerging on the move. A close look at how changes impact federal workers is vital, since ultimately these folks control citizens' safety. CDW Government released research this week that provides insight on the impact of BYOD on the federal work force.
In a more general finding, the survey - which covered 414 federal employees and IT staffs - found that 99 percent have deployed mobility. Sixty-two percent of those - and essentially 62 percent of the total - allow BYOD. The press release on the report is somewhat troubling:
For example, while 82 percent of IT professionals said their agency deployed encryption for mobile devices, far fewer said their agency protects mobile devices with multi-factor authentication (54 percent), remote lock and wipe (45 percent), and data loss prevention software (39 percent).
BYOD raises the bar on the difficulty of securing data and devices. The fact that only about half of federal agencies use multi-factor authentication and remote lock and wipe, and that only about four in 10 use data loss prevention software, are yellow flags that these agencies may not yet be confronting the intricacies of BYOD.
This week, Wisegate made available a report on securing corporate mobility with an emphasis on BYOD. The press release essentially just hypes and describes what the report covers. However, responses from a survey of chief information security officers (CISOs) is worth considering.
The question excepted in the release appeared to have been asked informally and the answers overlapping. The question focusing on attitudes to BYOD is interesting in that four offered responses all scored within seven percentage points of each other (20 percent to 27 percent). At higher scale were organizations that only allow "fully managed and secured devices." The other three responses were the enablement of any device employees choose to use; movement from a "device-centric" to a "user-centric" approach and use of a hybrid approach offering access level based on devices' level of security.
Candy Whitley at TRCB News offers some tips on how an organization should approach BYOD. The key paragraph:
Create a steering committee which of course includes IT. Consider the scope of the employees' needs along with budgetary considerations. IT defines general guidelines such as: VPN, mail access (IMAP4, POP3, SMTP) and other industry standards. Expectations on platforms (IOS, Android, Windows, Linux) are created. Draft guidelines are presented to employees for feedback. Feedback is thanked and acknowledged, with the outrageous and out of scope ignored. Implementation has begun. Now the why.
The emergence of BYOD and the consumerization of IT is the biggest challenge faced by IT departments during the past decade. There is no reason to think, however, that the veritable army of mobile device management (MDM) vendors won't produce a wide variety of products that solve the problem.