You’d think after all this time that organizations would have finally gotten BYOD programs pretty much down pat. Don’t bet on it.
A recent study by tyntec reveals that a vast majority of organizations still have inadequate bring-your-own-device (BYOD) policies. That’s not very encouraging, considering that 49 percent of workers now use a personal mobile device for work-related tasks and spend a great deal of time on personal devices for their job.
Further, the typical U.S. worker now expects to have nothing less than total access – anywhere, anytime, from any device – to their employer’s networks, finds another study from Dell and Intel. But despite all this demand on the user side, many organizations still wrestle with security, privacy and support issues around BYOD. That is holding many employers back when it comes to giving BYOD an enthusiastic ‘thumbs up’.
[ ALSO ON CSO: Is a remote-wipe policy a crude approach to BYOD security? ]
So what does it take to get BYOD right in 2015? CSO put that question to a few IT leaders, whose collective responses reflect the still wide divide on how BYOD is supported at the IT executive level, possibly depending on the industry in which they work.
An undeniable force
The higher education sector has embraced BYOD probably as much as any. No surprise here, really. College and university culture is all about openness – of ideas, of expression, and of access to resources. So it is only natural that today’s campus environment is awash with personal devices.
The University of Tennessee at Chattanooga is a prime example. According to Thomas Hoover, associate vice chancellor and CIO, and Susan Lazenby, manager of strategic planning and communication, BYOD has taken the campus by storm.
The two shared the school’s experiences with BYOD by stressing the impact it has had on the school’s IT organization, including staff and budget. But they confirmed that BYOD was a trend not to be denied, and the university had no choice but to adopt it. They also noted that a robust BYOD program is not just demanded by students, but also by faculty and employees.
To illustrate how rapidly BYOD caught on at UT, the two noted that five years ago the school’s network was supporting 809 devices. That number rose to 14,906 in 2014. This year it jumped to approximately 48,000.
It’s a similar tale hundreds of miles away at Worcester State University in Massachusetts.
“Like any other institute in higher education, Worcester State doesn’t have any choice but to support BYOD,” notes Anthony (Tony) Adade, CIO at the university. “The students come from diverse backgrounds. They come with all kinds of devices. For several years we’ve been seeing an influx of games on our campus – all kinds of games. Besides the normal devices that we have to deal with, we didn’t have any choice but to support them.”
Like at the University of Tennessee, wide-scale BYOD has been a fairly new phenomenon at Worcester State, but demand quickly made up for lost time.
“Initially it was limited. The network itself was at capacity and was not able to handle the devices coming on campus,” Adade explains. “We had to tell some students that they can’t bring devices on campus or if they did they were on their own. However, later on we realized it would be in our strategic interest to have a plan and to address the issue. Now we can safely accommodate almost every device. “
BYOD lessons learned
Colleges and universities aren’t the only organizations that have felt compelled to adopt BYOD programs, of course. Countless companies and nonprofits are also supporting programs, and have learned some important lessons in how to do it right.
“It is important to have technology in-house to support BYOD strategy,” notes Christine Vanderpool, CISO at Molson Coors, one of the nation’s leading brewers. “Companies should invest in tools like MDM, DLP and application monitoring (tools that inform the user of malicious applications on their devices). You need staff to support these tools. You need a strong set of policies, procedures and end user education.”
This last point is especially important – user education.
“It is good to focus on the ‘what’s in it for them’ in most cases,” Vanderpool stresses. “If you deploy MD or application controls, you have to explain how this is protecting them in their daily life and not just in their work life.”
“Give real life examples like how some malicious apps can take control/read all the user’s SMS text messages, see password information entered into a bank app, etc. People care most when they can understand it and can potentially impact their lives beyond just their job,” Vanderpool says.
Not everyone’s a believer
But many CIOs remain skeptics when it comes to supporting BYOD, fearing that the probable risks still outweigh the possible benefits. One of them is Jim Motes, vice president and CIO at Rockwell Automation.
“I'm not really a fan of BYOD phones,” Motes says. “I believe the privacy constraints will be at odds with protecting and controlling corporate intellectual property.”
“The smartphone is not just communication technology, it's a social lifeline, diary, and entertainment system,” Motes continues. “People have too much personal information stored on these systems and should be very careful about how much access they want to give their employers. Employers should avoid them completely to limit their liability should that personal information be breached and exposed.”
So how does an organization resolve these two competing forces: security and privacy concerns on one hand, versus user demand for convenience on the other?
Our sources offered the following combined tips on how to get BYOD right:
Have a thoughtful strategy
As noted, security remains a top concern for IT leaders when it comes to BYOD. It is therefore important to involve the IT security team in establishing a program from the outset. But the approach should be for the CSO to help find a solution, not reasons to not support it. The focus should be on how to best secure the data first and foremost, then the devices.
Take stock of the situation
Once you’ve set your strategy, begin with assessments of the network capacity and the security status. Issues to consider include how much vulnerability does the network have? Who is connecting to it? What devices and applications are they using?
Have a clear set of policies and expectations
You need a set policy of guidelines on what is allowed and what is not and to guide behavior of employees and users. Policies should be simple and easy to understand. Toward that end, have your employees help draft the policies to get their understanding and support up-front.
Some devices are a ‘go’ and some are a ‘no’
Third, identify the devices you wouldn’t be able to support. The program probably can’t be all things to all employees. Create an approved list of devices that IT will support, providing the employee has a valid business reason for using it. Purchase the devices at a reduced cost for employees, and put necessary safeguards on those devices. Let employees know up front to what degree you will support a particular device purchase.
Proper training is critical
Educate employees on how to connect their devices to the network and also the dos and don’ts of their usage. Lunchtime training sessions are a smart idea. Stress what it is that employees are agreeing to, including what happens if a device is lost or stolen – the wiping of the device. Most employees will say yes, and for those that don’t, they can’t participate in the program.
Finally, “BYOD risks and considerations will continue to grow and change just as rapidly as the technologies change,” stresses Vanderpool. “It is vital that all aspects of the BYOD model be continuously reviewed, updated, re-communicated and employees re-educated. The model deployed and the supporting guidelines, policies and procedures implemented to support it must be agile and allow the company to be able to quickly adapt or change them when necessary.”