The consumerization of IT is one of the greatest challenges facing IT professionals today. Without proper planning, shifting device ownership to employees can reduce CIOs’ oversight and compromise the security of sensitive data. However, enabling employees to use self-owned devices provides companies with many benefits. The following guide is intended to help IT professionals devise and execute a winning bring your own device (BYOD) strategy that maximizes productivity gains while minimizing security risks.
What Your BYOD Program Should Achieve
The BYOD movement has spread like wildfire. Research from Harris Interactive shows that 81% of employed American adults use at least one personally owned electronic device for work. Yet an Acronis study states that 60% of companies don’t have a formal BYOD policy to keep data secure. Giving employees the freedom to choose the best way to get a job done increases employee satisfaction, productivity and can be a draw for recruiting top-level employees. However,CIOs need to define rules of governance that enable employees to conduct various work-related tasks on devices that they own, while minimizing security threats.
Here are some attainable goals for your BYOD program.
Empowering employees to use their own devices, which include smartphones, tablets, laptops and desktop PCs, can increase employees’ job satisfaction as well as offer businesses productivity gains. In fact, a CIO Insights study from earlier this year showed that out of 500 IT and business executives surveyed, 62% believed that BYOD increased productivity.
BYOD policies can also reduce costs. A Cisco IBSG study reveals that a comprehensive BYOD program reduces hardware costs, support costs and telecom costs. According to the study’s findings, companies can gain an additional $1,300 annually per mobile user by rolling out a comprehensive BYOD program.
Protect Sensitive Data
There is much to be gained by enabling workers to use their own devices. Unfortunately, without clear rules of governance, it’s all too easy for critical data to fall into the wrong hands. According to Gartner, through 2014, employee-owned devices will be compromised by malware at twice the rate of corporate owned devices. In addition, research shows that 35% of employees store work passwords on their mobile devices, while Enterasys’ infographic shows that as many as 90% of tablet users and 75% of smartphone users have disabled their auto-lock feature.
Build The Ultimate BYOD Policy
Step 1: Company-Owned, Self-Owned or Both?
The first step of any BYOD program should be defining whether using self-owned devices is prohibited, optional or mandatory. Some businesses give workers the choice between using company owned and self-owned devices. At other organizations, employees use a mix of company-owned and self-owned devices to complete tasks. Of course, there are pros and cons of each. Company owned devices tend to be more secure overall. However, there is no guarantee that those devices will be used exclusively for work.
According to Gartner VP David Willis, “We’re finally reaching the point where IT officially recognizes what has always been going on: people use their business devices for nonwork purposes.” As such, many companies are warming up to the idea of allowing self-owned devices. In fact, a Gartner study shows that by 2016, 38% of companies will stop providing their employees with devices altogether.
Step 2: Define BYOD Incentives
If you want to steer your workforce toward BYOD, it can be helpful to offer incentives. Many companies issue stipends to workers to help pay for their BYOD devices. For example, imagine a worker who uses her iPhone 5 to take business and personal calls. A company might pay for a percentage of her monthly phone bill, but not pay for the device itself. Other companies issue stipends that democratize the cost of the devices themselves. Some companies even go as far as to purchase devices for their employees, that are then employee-owned.
Step 3: Create a List of Approved Devices
BYOD is, by nature, an ambiguous term. IT has to decide and make it known which devices are okay to use for work and which are not. Remember that the more devices and operating systems you allow, the harder it is to accurately and effectively manage data security. We recommend setting up some firm ground rules. For example, you might decide to only use iOS devices or Android devices. When choosing which devices make the cut, it’s important to select devices that offer the tools your workers need to get their jobs done, as well as BYOD-friendly security features.
Which devices you allow could depend on a variety of factors including whether your workers are tech-savvy enough to update security features to the overall sensitivity of your business’ data. According to Ramon Ray, author of Technology Solutions for Growing Businesses, “Some businesses can’t afford even one slip-up when it comes to proprietary data. A legal, financial or medical office, for instance, might be wary of adopting a BYOD policy. If one instance of stolen client data could result in serious consequences, having employees on a variety of different tools is probably too big a gamble.”
Step 4: Make Certain Every Device is Registered and Secure
The last thing any IT professional wants is for sensitive business data to be unaccounted for. If an employee is going to be using a device for work, IT needs to know! Every device should be registered and then protected by a complex password system (not a worker’s birthday). iOS 7 introduces fingerprint recognition software which, in addition to adding some James Bond mystique to iOS devices, actually makes them more secure for BYOD. In addition, third-party solutions like Silent Circle and Sophos offer features that help companies enforce security policies on employee-owned mobile devices.
Step 5: Educate Employees About Acceptable Usage
Your business likely already has an acceptable use policy for company-owned devices. However, it is important that employees know which actions on self-owned devices violate acceptable usage. For example, even though experts like elite hacker Kevin Mitnick have made a case for VPN usage, there can be security risks involved. Therefore it is prudent to monitor which sites employees are visiting and which apps they are using after setting up a VPN tunnel. We’re guessing you don’t want an employee illegally downloading TV shows on the same device they’re using to review sensitive documents through your VPN.
Education is key. We recommend setting up clear rules with well-defined penalties.
Step 6: Create a List of Approved Apps
Just as employees are bringing their own devices to work, they’re also bringing their own apps. It’s important to establish which apps are okay to use for business purposes. Apps that enable social media browsing, VPNs, replacement email applications, and apps that enable workers to access desktop data remotely can lead to security breaches. As such, IT professionals need to identify which apps might present security risks. At that point, it may be necessary to perform a cost-benefit analysis. Does the productivity gain offered by a particular app exceed security risks?
As a general rule, business apps that connect workers to centralized business intelligence software can be big gains since they enable managers to gain increased oversight over worker activities. That’s one of the primary reasons we built our mobile sales apps to sync data with Salesforce.com.
Step 7: Establish Protocol for Wiping Data
So what happens when a BYOD device breaks? What ‘s your policy if a device is lost or stolen? These are concerns that IT needs to prepare for when rolling out a BYOD policy. Mobile device management (MDM) software can enable devices to be wiped remotely, which is an important feature for BYOD. Employees should be required to sign on to a policy that requires them to report lost or stolen devices and agree to have those devices wiped remotely.
Some companies also have a policy of wiping a device clean when an employee leaves. While this option might offer the greatest security, it’s hardly the most employee-friendly policy.
With iOS 7, employers can manage apps selectively on employee-owned devices. This enables companies to be more surgical with what data is wiped. Specific “managed” apps can be wiped from iOS devices and then companies can reclaim their license. Also, according to an article by CIO’s Jonathan Hassel, “you should have a clear methodology for backing up the user’s personal photos and personally-purchased applications prior to this ‘exit wipe’.”
It’s important to note that there is no one-size-fits-all BYOD policy. Factors like a business’ size, culture and data sensitivity are bound to impact how your IT department accounts for consumerization. BYOD is only growing more prevalent. But with careful planning, your business can gain the advantages of BYOD while simultaneously mitigating security concerns.