The lives of today’s workers are not always divided into neat and separate office and home compartments. Many work at home, sometimes on weekends, and often for longer hours, making them more productive than when in the traditional, office-based nine-to-five role. Nowhere is the blur between home and office more evident than in the social and mobile space, where employees mix work and play in their Twitter streams and use the same phone and laptop for Facebook, Netflix and accessing the corporate CRM system.
Over the last decade, employees have begun bringing better personal IT equipment into the office than they have at work, and want to use it for both personal and work activities. Carrying two phones is a hassle, and some might prefer a tablet or an Apple MacBook over their corporate laptop. This powerful and irreversible employee productivity trend is called “the consumerization of IT” and savvy companies are responding with new enterprise mobility programs, of which bring-your-own-device (BYOD) schemes may be a part.
Today’s CIO has a lot to do to make BYOD work, starting with a well-designed and communicated policy covering employee privacy rights and a company’s right to monitor, access, review, and disclose company data. The CIO must balance the convenience of BYOD and the improved employee productivity with the realities of employee privacy, corporate security, and the use of mobile device management (MDM) software. There are BYOD minefields that must be negotiated by working closely with HR, finance, legal, and business units, as well as dealing with a wide range of impatient and tech-savvy employees who will say (or perhaps shout) “Why doesn’t IT get it? How hard can it be? I just want to do my work.”
In this slideshow, Sarah Lahav, CEO of SysAid Technologies, takes a closer look at BYOD and offers advice to help CIOs maximize workplace productivity while maintaining corporate security.
BYOD Advice for CIOs
Click through for more on how CIOs can offer a productive BYOD program while maintaining strong corporate security, as identified by Sarah Lahav, CEO of SysAid Technologies.
The Promise of BYOD
Surveys of thousands of BYOD users across the world have shown an average productivity boost of one hour per week for employees. However, many of the positive stories about BYOD are found only in the marketing of vendors selling a BYOD product or solution. Often these stories are in the form of customer case studies or “dogfood” stories where the vendor has embraced and benefited from its own BYOD solution.
The promises of significantly reduced hardware and software costs versus marginally increased support complexity have been difficult to prove because enterprise mobility and BYOD programs are complicated by privacy, security, and budget challenges.
CIOs must balance the promises of reduced IT costs and increased employee productivity with the realities of running a BYOD program. Although employee productivity may increase, as some surveys have shown, BYOD needs new policies and procedures and it’s likely to increase overall costs due to hidden budgetary items such as managing employee BYOD expenses, policies, and device management.
It’s hopefully now widely accepted industry wisdom that corporate BYOD schemes should be user-centric, rather than device-centric, and that the CIO and team should start by understanding the end users in their organization.
By understanding and mapping end users’ behaviors, roles and needs, the corporate IT organization can build up profiles of end-user categories – such as the millennials, the techies, the CEO, the rogues, and more – as well as how these needs differ by organizational role. Understanding each of these personas and their different needs helps with BYOD policy development and increases the chances of getting the right balance between end-user and corporate needs.
The BYOD Policy Imperative
Perhaps the most important role the CIO plays in a BYOD program is gathering lessons learned from other organizations, then driving the work with HR and legal to craft a balanced, workable BYOD policy. The BYOD policy is the heart of the program as it specifies what is and isn’t acceptable, what scenarios are covered, and what actions will be taken. Employees must agree to this policy as part of their terms and conditions or they cannot be part of an official BYOD scheme.
The BYOD policy needs to cover the important areas of employee privacy, corporate data security, and acceptable use – ensuring that it covers the various employee needs and risks. The CIO and team also need to ensure that lost devices, malware problems, security breaches, unacceptable use, and employee exits are covered by the policy. For this to be effective, IT must work with HR and Legal to ensure that there are documented and agreed-upon actions to back up the policy, otherwise the BYOD policy is ineffectual.
Updating Security for BYOD
Instead of looking at securing BYOD devices with PINs and passwords, CIOs need to see the wider picture of corporate application and data access matched to end users and their roles and locations. From this analysis, a CIO and his or her team can develop access controls around authentication, data protection, anti-malware, and governance, risk, and compliance (GRC).
A critical part of BYOD security is the ongoing training and education of end users so that ignorance is never an excuse. For example, employees should be frequently reminded not to use their corporate email and password as logon credentials for services such as Gmail and Twitter. Instead, employees should be provided with password management systems that allow them to have complex and unique credentials for every service they access from their BYOD device.
CIOs and their teams should put white and blacklists in place for devices and applications and enforce them using MDM software. Corporate apps can be whitelisted and “unsigned” applications from unknown third parties can be barred.
Beware Hidden BYOD Costs
In the early days of BYOD, there was an optimistic, and perhaps naïve, expectation that BYOD would be cheaper than providing corporate devices because the company pays nothing for the end user’s device and the end user most likely supports themselves for “free.” However, the reality is that companies often wind up paying for the end user’s mobile plan that often includes a subsidy for the phone. Mistrust can develop here because end users can be “greedy” in opting for the best phones and most expensive plans even when they don’t need them to do their job. So, in effect, the company is subsidizing the employee’s personal life choices.
Most companies will agree that enterprise mobility and BYOD is best managed by MDM software. It’s what allows the end user the freedom, and the enterprise the control, to make BYOD work. In terms of costs, MDM software is commonly paid per-user or per-device but there are additional hidden costs in the staff and skills needed to run the software – often requiring specialist consultancies or IT staff training.
Privacy and Legal Aspects of BYOD
On corporate computers and devices, CIOs might worry about employees putting corporate data in Dropbox or similar cloud apps and block the use of such file services via the corporate firewall. On a personal device, however, the end user has a legitimate, personal right to use Dropbox, so this control won’t work.
The CIO can insist on installing MDM software so the company can wipe any data, read data, block applications, and even track location. The company may say that they can be trusted but should the end user accept this? After the Snowden leaks, employees are going to be wary of abuses of such technology and wonder what’s to stop an administrator tracking the GPS of an employee, even outside of work hours on their private and confidential business.
CIOs and their teams also have to work out, ideally at the start of a BYOD program, what to do in situations where employee phones are included in legal information recovery procedures. If employees have to give up their BYOD phone, will all of their data, including personal emails and pictures, be seized? And what happens if the employee doesn’t accept this and resets their phone, wiping all the data including the legally required company data?
Three Kinds of BYOD Approach
As BYOD has evolved, we have seen that there is a sliding scale of BYOD technical solutions, ranging from low to high cost. Low budget is to have a hands-off approach – a bare-minimum policy – and to isolate all wireless BYOD devices so that they can only use one or two services (such as email) and nothing else.
A CIO could go for something more middling and use network devices to control and monitor access over the Wi-Fi at their facilities, and not allow any access to corporate information other than through this route. This is often extended outside the office by using VPNs on mobile devices and locking down application access to isolate personal applications from corporate. But this still opens a tunnel that malware could exploit.
For complex, changing, and regulated environments, a CIO is likely to go big-budget and invest in an MDM solution that will implement a detailed BYOD policy, providing a great employee UX matched by fine-grain IT controls.
What’s Next for BYOD?
BYOD is a decade old now and has gone from being an overhyped phenomenon to becoming a mature and widely accepted solution.
There is a developing trend for organizations to move toward “zero-trust” of networks, devices and end users. This trend is being helped by new, fine-grained and distributed security technologies that take security close to the data and the applications and effectively replace the old approach of trusted security zones.
MDM software will continue to advance and mature to allow for a very fine-grained implementation of the corporate BYOD policy. It will effectively “partition” phones in such a way that end users will have the freedom to do what they want without compromising corporate controls and data. An adjacent trend is cloud-identity systems, which allow an organization to give just one trusted identity to an employee for all their systems, devices, applications and networks.
A CIO will ultimately combine these advanced identity systems with the latest MDM and security solutions. BYOD solutions will work better and productivity should increase, as should end-user satisfaction. But privacy and legal challenges will persist.