Tell device-hungry staff to BYO

By on
Tell device-hungry staff to BYO

Staff are happier and more productive using their own devices, but infosec managers must balance security with flexibility.

The last six months has taught us that the consumerisation of IT continues to be the greatest challenge for businesses and that solutions are emerging, but perhaps one policy-based initiative could be the answer.

Long before the problem of employees using personal devices for work became such a challenge, a policy of ‘bring your own device' (BYOD) to work had been adopted to reduce IT hardware costs and to enable remote staff to work on laptop devices.

In a recent survey at an SC Magazine conference on mobile device management, 60 per cent of delegates supported a BYOD policy, while 32 per cent were planning to do so.

So rather than blocking employee smartphones, tablets and laptops from an organisation altogether, could a BYOD policy be a solution? Graham Taylor, head of IT security Michael Page International, said he had adopted a BYOD policy and this was something to consider for the future.

“We had a few users who wanted to use a BlackBerry so we made a decision to only support BlackBerry for email and wrote a policy about corporate devices," Taylor said.

"We say that if people want to use their own devices then they have to comply with our policy and if they lose the device we wipe it. We are looking at solutions such as MobileIron's where you can wipe only corporate data, but with BlackBerry it is all or nothing.”

The decision to allow people to connect to the corportate network using their own devices was a recent policy grasped by IT services and solutions provider Dimension Data. Its security business manager Chris Jenkins said that it had recently changed its policy to allow people to bring in Apple devices as long as they adhere to the security policy.

“If they lose a device they have to allow the device to be remotely wiped and if they are not willing to accept that, then they cannot accept the standard. We have seen this driven from C-level down, people want to use their own laptops and bring them in and this is driving the security department to react to this to fit it around the policy. In the past it would have been a ‘no' but now security is on the backfoot.”

The BYOD policy is driven by the boardroom as much as anyone else, as they are the people with the most up-to-date devices.

“It is more of a demand to get email on them rather than a request. So, they are here already and here to stay,” said Guy Bunker, Jericho Forum board member.

Arguably the decision is different for every business, as the operations and data security needs are so different from sector to sector.

So it is BYOD a good or bad solution? Simon Ford, engineering director at NCP, said that he felt that BYOD was one way forward, but that Pandora's Box is opened on another side, as it is a nightmare for IT in terms of malware coming in.

Stuart Facey, EMEA general manager for Bomgar, a remote working solutions specialist, said that he believed that a BYOD policy is actually a ‘given' for IT departments, as they need to create a strategic policy on the IT support front.

“There are many compelling reasons for not shaking a fist at gravity and allowing BYOD. Firstly, employees are more productive using devices with which they're comfortable. Secondly, staff morale improves because they can use their gadget of choice and thirdly, procurement generally spends less resources to constantly re-equip employees with the latest technology because they're upgrading themselves.

“The ‘Generation Y' is also entering the workforce and their demands for answers are likely to be louder. Some organisations may bristle at BYOD, expressing valid concerns over manageability and security.

“However, organisations of all sizes can mitigate these threats. IT support organisations need to re-examine their current policies, IT management and support tools and asynchronous incident handling processes to become a more efficient, flexible and collaborative support team.”

Looking at the negatives of BYOD were Martin Kuppinger and Tim Cole of the analyst group KuppingerCole, who said that instead of trying to stop the trend toward BYOD, IT professionals should focus on securing information.

“People have been using private devices professionally for years, ever since laptops started to replace corporate desktops. As a rule, many enterprises neither sanction such devices, nor do they often even know which ones are currently used.

“But used they are, for everything from business emails to mobile access to corporate applications. The alternative of blocking everything or massively limiting access to remote desktop connections is the IT equivalent of mission impossible.”

However he did admit that there is a bright side, as adopting a good BYOD strategy can usually free IT from having to invest in costly standalone point solutions for device security that usually turn out to be dead-end streets. “Keeping information secure, no matter where or how users choose to gain access, is the true answer to the BYOD dilemma,” he said.

So the challenge is to implement a strong policy from the start and probably make it flexible enough that staff will not feel locked out by it. Dave Jevans, founder and chairman of IronKey, highlighted a case in December, where JPMorgan Chase in New York gave out iPads to their staff.

“If banks are choosing this then it ripples through the rest of the industry, as you often think of banks to be the last ones to pick something up," he said.

"Companies are interested in this as they are looking to save money and companies evaluated this two years ago, thinking that employees can bring their own computers. With modern devices they are now thinking that there is some value in the proposition in this.

“There are a lot of negatives in this but also a lot of positives, they can give access but have to kill it and no one has figured out how yet, as if you do not own the device it is a problem. There are a lot of positives, the Apple iPad does not store data so there is less chance of a data leakage problem but if you are using a device as an intelligent solution then there is some data leakage problems.”

So what about solutions? Facey said: “The first way is to develop clear procedures for securely connecting personal devices to the company network. The aim is to determine the level of support to provide for personal devices as well as what will happen if the employee leaves or a device is stolen or lost.

“It is also necessary to adopt support solutions that lets IT easily manage and support a variety of mobile platforms so they can use the same tools to support whatever type of device the employee brings in. Help desks that cannot adapt to staff bringing in their own tech risk dissatisfying and ultimately losing this important and influential group of employees and customers.”

Stephen Midgley, vice president of global marketing at Absolute Software, said: “The first step for any organisation is to develop a mobile device management policy that clearly articulates the expectation to privacy an employee will have if they use their own device to connect to the network.

“The next step is to implement technology that enables IT to sandbox corporate data on an employee-owned device. In the case of an employee leaving the organisation who has been using his/her own device to access the network, IT can reach out and delete all files that have been sandboxed.”

As with all IT policy, it is about what is right for the organisation within its sector, but if this is a viable problem-solver then it may be a potential light at the end of the tunnel and be responsible for a surge in secure gateway sales.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?