5 more post-holiday BYOD strategies and considerations

Now that the holidays have come and gone, it's time to focus on mitigating the problems associated with employees returning to work with a bevy of new devices

Just before the Christmas holiday, CSO offered five strategies to help mitigate post-holiday BYOD problems. Now that employees are returning to work, shiny new devices in hand, here's some additional insight.

[5 fixes to help CSOs stay ahead of risks]

For this recap, CSO once again spoke with Jonathan Dale, the Director of Marketing at Fiberlink, a mobile management and security firm recently acquired by IBM. The questions this time around centered on the aftermath of the post-holiday mobile boom, and what IT can do to keep things both secure and easily managed.

Education (it never ends):

As mentioned previously, education is important. Make sure that employees have some kind of a reminder when it comes to corporate policies governing personally owned mobile devices. If there's some type of mobile management solution in place, make sure employees know how to enroll.

Another tip that's good the second time around focuses on proactive education. Remind employees of the steps needed to enable Wi-Fi on their new devices in the office, including the steps needed for iOS and Android. Dont forget to touch basics such as SSID and automatic connections.


Another topic that was covered previously, which still applies, is privacy. Make sure employees know what parts of the device the company has access to, and what can be done with that access.

"Privacy is a major part of a successful BYOD program. There are several options so, know what abilities you as IT have and figure out what works best for your company culture or CEO," Dale said at the time.

Another side to that topic comes from a CSO reader, who commented that their organization has little BYOD enrollment. This is due to the clearly stated fact that on the corporate network, there is no expectation of privacy. In fact, outside of a small user base, their BYOD program is dead.

"Our BYOD policy clearly states there is no expectation of privacy when connected to the corporate network and using corporate systems. Pretty much stops most BYOD adoption dead in it's tracks. The rest that enroll get frustrated with the limited access our BYOD program provides so they opt out after a couple months," the comment explains.

[Mobile device management companies get more app control on iOS 7]

Existing MDM considerations:

Assuming that an MDM solution has already been deployed within the organization, there are a few key considerations that need to be taken into account, including working with, and not against the user.

"How does IT achieve this? They ensure that they have not only prepared and allowed for the new shiny gadgets, they've shown users that they're on their side and are enabling them to the fullest extent," Dale said.

[Five things to consider for a mobie security policy]

If a mobility management solution exists, then dealing with new devices will mainly be a matter of ensuring that policies assigned to each user or group are right for their specific access level and behavior.

Needlessly restrictive policies don't help anyone, and no one wants to be "the one blocking Netflix or YouTube on an employee owned device," Dale added. On the other hand, checking to ensure the device is using encryption and isn't jailbroken is generally acceptable.

"It's also recommended that you ensure your users know where to get apps that the company supports and recommends. This is done through your EMM supplied app catalog. Users love that they do not have to go searching for company supported apps or worse, have to pay for apps that most coworkers use. If you are taking advantage of Apple's VPP, that makes the deal even sweeter," Dale explained.

Finally, make sure that users are able to access their corporate assets, such as SharePoint and network drives, securely. This can be done inside most mobility management programs.

"Let's face it; most users go through a progression. It happens immediately for some users and slower for others. Everyone wants mail. Then apps. Then more access to their own documents and content. By proactively giving employees access to these features, they get what they want and IT gets to guide them," Dale said.

Considerations for organizations without an MDM solution:

So while there is plenty to be done if the organization has an MDM solution, what about organizations that don't have one? According to Dale, this won't pose a problem until something keeps the users from getting what they want, or getting what they want within a reasonable timeframe.

"If the company allows mobile devices but does little to manage or enable them, users win in the short term and IT loses all around. It's likely that your users are employing several different ways to gain access to what they need (apps and company data) and are not waiting on you for a solution," Dale said.

[Five myths about mobile security and their realities]

That means the company's data is likely on several private cloud sharing applications, and there is no way for the company to account for them. Passing audits in the retail, financial, and healthcare sectors would be a nightmare at this point.

"Most companies move away from relying on just native ActiveSync controls when manually on-boarding devices gets to be a headache, app enablement becomes necessary, and compliance issues start to occur," Dale added.

[Is mobile anti-virus even necessary?]

Are there any pre-loaded apps that could pose a risk to the organization, which should be monitored?

"Most apps are pretty safe, especially preloaded apps. If users are downloading apps strictly from their respective app stores, the potential for a dangerous or malicious app is greatly reduced, but not 100 percent eliminated," Dale said.

"IT should keep an eye out for and educate users about apps that chew up large amounts of data. A 5GB plan can be eaten up very quickly while streaming HD movies over 4G. Since many devices are often shared by other members of the family, including children, a close eye needs to be used. No one wants to see overage charges, but they can be a major concern."

Budget constraints (Is it free?):

MDM offerings can be costly, and budgets are tight. No matter how affordable some vendors make their products, some organizations simply cannot swing the expense. When that happens, the business chooses to accept the security risks and problems that can arise due to BYOD initiatives. We asked Dale about this situation, and he noted that it really isn't an option to enable mobility without a proper mobility management platform.

"Several companies we know could not leverage tablets for their sales team or enable BYOD without a solution. Its no longer about [enterprise mobility management] cost per device. It is simply necessary to enable mobility," Dale said.

With that said, there are free alternatives on the market. One such alternative is Spiceworks.

Spiceworks will enable basic MDM, such as monitoring, reporting, and security including monitoring app installation, checking for jailbroken devices, and passcode enforcement. It's also a general IT application that includes other services such as helpdesk and network management.

The catch however, is that it is vendor supported, and some functionality is only available if discounted licenses are purchased. MDM restrictions include remote wipe, group policy management and enforcement, and mobile app distribution. So it's free, but not completely free.

Another alternative, which is actually rather comprehensive, is Cisco's Meraki. Cisco's cloud-based management platform works with iOS, OS X, Windows, and Android, and offers a wide range of options, including security and granular management.

[How to create security awareness with incentives]

It's free, and Cisco does this because they hope the organization will enjoy it so much that "you'll consider other Cisco Meraki products when you're ready to upgrade your Wi-Fi, switching, or security appliance infrastructure."

But there's a catch. As it turns out, Meraki profiles can be removed from the device. In an FAQ, Cisco addresses this issue by offering the following advice:

"On iOS devices, due to Apple's restrictions, there's nothing that prevents a savvy user from doing this. Thus, we encourage administrators to provide incentive to the user to keep the profile on the device, for example by including the wireless network credentials in the MDM profile. Then, if the profile is removed, so is network access. Administrators can also configure email alerts to be sent in the event a profile is removed."

Free can be good for the budget, but when it comes to the influx of employee owned devices, and the fact that most employees choose to work from anywhere they happen to be located at any given moment, free could end up being rather problematic and costly in the long run.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)