Let’s be honest, BYOD (Bring Your Own Device) isn’t new. Since the first PDA devices hit the market, business executives have been snatching them up and bringing them into the workplace. They were looking for a better way to organize and track their calendars and contacts.
Since it was seen as a personal device (the ‘P’ in PDA), no one ever asked IT if it would work with the existing platforms. Nor did they ask the security group if corporate data would be secure on these new devices.
Fast forward and we still have the same desires and the same issues. We just have it in more abundance now. There is a wider diversity in the platforms, connectivity options, and availability.
The devices have hit a critical mass where niche solutions have been developed to manage these devices. Up to this point most of the products were either unmanageable from a centralized service, or they could only be managed by a vendor specific tool.
BYOD Security Solutions
In comes a solution where companies such as MaaS360, MobileIron and many others introduce solutions to centrally manage the security of all these disparate devices. Now the person responsible for data security in an organization is starting to get the tools to enforce security measures such as requiring passwords on the personal devices that are brought into the corporate workspace.
The IT administrator can start to control what resources these devices can access as well as remotely lock-down or wipe these devices if they are lost or stolen.
A Lack of Standards
But the security controls on the different platforms are not standardized. And this means that while encryption can be enforced on one platform, the options are totally absent on another.
One platform may be able to enforce complex passwords while another only offers the ability to use gestures or numeric keypad sequences to unlock the device. This means that the security profile for each device can be radically different.
There has been a tremendous amount of hype around Mobile Device Management solutions and BYOD. It is definitely a growing niche industry. But if you are in an industry that requires strict enforcement of security methods, you will probably be asked to standardize on a particular platform that the IT group can ensure is locked down according to corporate policies. These will probably become corporate issued devices rather than ‘Bring Your Own’.
One Device Containing Corporate Data & Personal Data
This is where the reality of BYOD starts hitting home. With the explosive growth in smartphones, nearly everyone is using them to store and play music, update Facebook, take photos and share them out via social media. Now inject sensitive corporate data onto that same device.
Some will take up the banner of “our employees should be free to use their devices in whatever manner they deem necessary.” This includes taking family photos during vacations or pulling up sales spreadsheets while at the kids’ soccer practice.
But what happens when that same employee that has the entire company client list on their device leaves it at the restaurant or airport? Who makes the call to remotely wipe the device? Will it be OK for the employee to lose their daughter’s second birthday photos?
Is it OK for the trade secrets and Intellectual Property of the company to be on the same device that young Johnny is using to update Instagram while at dinner?
The person that uses their device in a corporate environment should be aware that the device will now fall under the purview of the security requirements of the company. As such the user should be aware that remote factory resets of devices are possible and could cause the loss of personal data.
We have talked with business owners that do not allow BYOD for this very purpose. They do not want the liability of possibly wiping someone’s personal data from a device. Others have issued corporate devices and banned users from bringing their own personal devices.
Most small companies do not have a formal BYOD policy. Each group will have different security requirements and should review their needs as an individual assessment.
Enforcement of complete bans are very difficult and costly to enforce. But a balanced approach that is explained clearly to the employees with an understanding of the risks to the individual and the corporation should keep both the avid tech junkie and the IT Security Admin happy.
Understanding the risks of this flexibility can enable both people to be more productive and remain secure in today’s environment. Since the technology is rapidly evolving, I recommend all of our clients to assess their needs and review their current control methods annually.
Is BYOD Right For Your Business?
If you’re struggling to answer that question, please contact us today. We can help you define BYOD policies, procedures and security measures to protect your capital.