Bring Your Own Device: Positives and Negatives
I’ve been reading some posts recently from Jeff Jones, the Director of the Trustworthy Computing side to Microsoft and a 25-year security industry professional. The focus of his concern is the BYOD craze that has company check-writers happy because they don’t have to pay for all the latest phones and tablets people want in the enterprise and it makes all the employees happy because they get to bring the device that they personally love to use into work and don’t have to carry two devices (a work and home mobile/tablet). But both sides may be missing the negative aspects of BYOD.
The end-user: positive and negative
The positive side to BYOD has end-users thrilled that they can choose the platform they prefer. Perhaps they hate the idea of being forced to work on a device other than what they are religiously convinced is the “best” (for example iPhone lovers may hate the idea of having to use a Windows Phone simply because IT has decided to go with a single OS solution across all mobile devices). Attitude will affect productivity of your users. A happy worker usually means a more productive worker. However, that joy may fade when the end-user realizes they have to deal with the cost of the device they are using whereas in the past the phone or laptop (and now tablet) would be paid for by the company. In some cases the employee may get some kind of subsidy or allowance to help defray the costs of the needed phone plans and such. But in many cases, according to the research Jones has done, companies aren’t paying a dime. Some have the viewpoint that the joy of being able to use your own device should be reward enough.
The money side gets worse when you consider overage charges that may come from using your personal devices for work purposes. Who pays for that? And if your work device is also your home/play device, how do you determine when work ends?
I remember my first company issued laptop. It was 1 am and I was in bed working. I’m thinking “this laptop is awesome… I’m working in bed!!!” and then I paused and thought “oh my… those sneaky thieves… I’m working in bed!!!” Yes, the original joy for companies providing devices is to make sure you can stay connected (and working) even when away from the office. Whether paid salary or hourly, what you do on your time for the company becomes a gift really and having the devices to do it makes you feel more indebted to work while away. But now you’re working on your own devices, paying for the overage charges and have no way to separate work from personal device time.
The organization: positive and negative
Sure the money spent on devices is no longer your concern. But depending on your organizational focus you may not be capable of truly being compliant. Finance, healthcare, and government industries – to name a few – are locked into all sorts of compliance mandates (HIPPA, SOX and others) that provide specific guidelines for data protection and discovery. So BYOD may not even be a possibility for your organization. There are other industries that are on the line. They may also have compliance requirements but have enough flexibility that allows for BYOD if, and only if, IT can truly lock down the personal device.
Just because industries may have strict compliance methods to worry about doesn’t make them ineligible for BYOD. An example is found in a BYOD toolkit provided on whitehouse.gov for agencies contemplating implementation of a BYOD program. There are methods of implementing BYOD while maintaining compliance. Virtualization is one good example. A person may bring in their iPad but to access the company network they have to remote access into another virtualized system that is locked down. The use of a “walled garden” is another example of ensuring data is secured by keeping it safe within a secure application and separate from personal data. These are just a couple of examples mentioned on the governments site for BYOD.
But there is much to consider, especially from an IT perspective. What does it take to control multiple device-types within your network? Is your IT prepared to dispense policies to BlackBerry’s, iPhones, Windows Phones and Android devices simultaneously? Policies that relate to PIN length and history or lock out if incorrect passwords are used. Depending on the device type and OS version can you even utilize certain reactionary methods like a remote device wipe if the device is lost or stolen? These are all concerns that now have to weigh on the minds of your IT staff. What if a user leaves the company? Their device obviously goes with them. Does your company data go with it too? With modern connectivity it is nearly impossible to prevent some of this obviously. Persons can email themselves company data to private accounts or use a USB key in many cases to move data over so whatever lock-down procedures you have in place are levees at best. They only go so high. But in industries that require higher levels of compliance you have to show, to a reasonable and legal degree, that you did what you could to prevent a data breach.
Note: One cool tool to quickly see what OS and version you have within your environment is ENow’s Mailscape. It’s great to be able to quickly see what your users are using at a glance.
The truth of the matter is that 80+% of enterprises support BYOD so there isn’t much to debate in terms of whether it is a good idea or not. It’s just a matter of how it will be implemented and what tools are in place to help facilitate the BYOD end-user’s side while remaining legally compliant and secure on the organizational side. Oftentimes that challenge is left to IT. So if you have BYOD in your environment, don’t forget to thank your IT team for making it possible.