I’m currently in the midst of pre-briefings for CES and one thing is abundantly clear, if you thought BYOD was a pain in 2012, it will become a lot worse in 2013. It may be time to revisit or create that BYOD strategy for the coming year before the employees roll over you.
Android: The Great Satan
This may seem a bit over the top, but next year Google will be launching its X Phone, which will push the envelope on technology and likely appeal most to the folks many of you want to be the most secure. Yep, the engineers will likely flock to this thing in even larger numbers than they did with the first Nexus phone from Google.
The problem with this is that Google appears to be living in the 1990s when it comes to security and many of you have actually blocked Google phones for this very reason. Well, it got worse recently when it was found that a lot (50 apps) of malware was getting into the Google App store and not just coming from side loading. It may be time to strengthen or rethink the BYOD policy with regard to Android phones on campus because this malware is pulling IDs and passwords off of the phone.
Google has the most variety and the least security, which is an ugly combination if you are trying to keep your site secure.
While Apple remains more secure than Google, it is still living under a security-by-obscurity model, which focuses more on appearing secure than being secure. Having said that, the bigger issue is that Apple appears to be cycling its products more rapidly and this means these products are going to be passed down or over to non-employees more aggressively, particularly if they are tablets. Thinking through how you are going to ensure the cached IDs and passwords are off these things before little Johnny or Suzie decides to pull a prank on the company systems might be a good idea over the next few weeks.
RIM is looking stronger at the moment, and if you are currently standardized on BlackBerrys and thinking of moving, you may want to hold off on that decision until you’ve been briefed on the BlackBerry 10. RIM is the only vendor with a major focus on business customers at the moment and its platform is both the least-attacked and the most secure of them all at this writing. If problems with the consumer platforms, with regards to security, continue, you may find the RIM Blackberry platform to again be the safe harbor and for company-owned phones the better/safer overall choice once this new platform launches.
Microsoft is also expected to strengthen the business side of its offering this year (it started this late last year) and the platform has been slowly strengthening with Nokia and HTC’s new Windows Phone lines. You likely already are getting regular updates on this platform and, if you are like most of the IT mobile folks I talk to, have been lamenting that you like the platform but your employees don’t care for it much. The latter appears to be changing and that should be a good thing.
Other Connected Devices
CES next week will be awash with smarter TVs and a variety of technologies, which will also be connected to the Internet and employees will want connected to the company — cars being one of the increasingly connected new offerings that employees will want connected to some company services like messaging.
Having Siri read to an employee a notice that they are fired while they are driving could end catastrophically and have some liability attached, and thinking through what goes out over the mail and could be consumed while driving might be a prudent conversation to have. Personally, I think critical messages like employment status, health of co-workers, or the sale of the company should be delivered while the employee is sitting down and not driving a car.
Wrapping Up: Some Rules to Consider
There are three rules I think IT organizations should consider when allowing devices in under a BYOD policy. The IT department must be able to delete remotely the ID and password and ideally wipe the company data from the device remotely in case the device is lost or the employee is terminated. There should be a minimum level of security that IT requires and an annual process to approve and reapprove devices against this policy.
Finally, employees are required to tell the company and have their identity removed from any device that has been used under the BYOD policy before donating it or giving it away as a gift. Penalties for violations of any of these policies should be consistent with other intentional security violations and ensure compliance.
There is a ton of fun stuff coming, let’s make sure it doesn’t bite any of us in the ass.