– Alon Israely, Esq., CISSP, and Co-Founder of Business Intelligence Associates (BIA), says:
BYOD is a much-discussed topic at many IT organizations, specifically among IT executives, thanks to the growing number of employee requests to use personal devices at work for greater employee convenience. From an IT perspective, BYOD, which stands for “Bring Your Own Device,” mostly concerns user behavior. It involves organizations offering their employees a way to use the types of devices (handhelds, tablets, laptops) that they prefer, taking user convenience rather than IT efficiency as the primary concern.
Several information technology analysts have cited user metrics that validate the notion that BYOD as a phenomenon is not only here to stay but is on the rise. Over 30% of employees are effectively implementing their own version of BYOD, which can cause many technical efficiency and security issues since the practice isn’t managed centrally by IT.
Surveys also show that some 90% of employees at large organizations are currently bringing and using personal devices at work regardless of employer policies on the practice. In some cases, employers try to avoid a de facto BYOD situation by giving employees a company mobile device to use. The result is that employees carry two devices: one for work and the other for personal use. This leads to less productivity as well as security risks by having foreign (non-corporate sanctioned) devices within the workplace and possibly connected to corporate IT resources like networks or personal computers.
Organizations need to manage this growing trend of rogue devices and lower productivity among users, and the best way to do that seems to be adopting a coherent BYOD policy. But the notion of complicating IT operations in the name of user convenience is a major departure from the IT culture that dominated organizations just a few years ago.
IT organizations used to be primarily concerned with ensuring low cost of maintenance, IT efficiency and security. Now, the primary consideration is user convenience. IT organizations may not welcome the shift, but regardless, IT efficiency elements and security are still IT’s responsibility in the age of BYOD.
Solution providers are quickly lining up to prove their acumen in adding BYOD capabilities to their equipment and software to help maintain IT efficiencies. But unfortunately, that same focus on creating efficiencies is not seen on the security side. Of course, many vendors and providers are discussing the importance of security and even offering solutions for implementing a secure BYOD plan, but currently, they are wholly lacking.
What this means for IT organizations is that they must still rely on their own diligence and planning to successfully implement security solutions. They must assume that a secure BYOD implementation will require a separate and intelligent security plan. That plan is usually best designed as an extension of the organization’s current IT security plan, but with nuances that relate to the benefits and detriments of BYOD.
For example, authentication may need to be beefed-up to two-factor or more. This may limit the types of devices that can be used as part of the BYOD policy. IT organizations may also have to ensure that certain applications or “cracks” may not be installed or implemented by users on their devices, even though those applications or “cracks” may be needed for personal convenience.
In addition, certain features to ensure a secure BYOD plan should be implemented from the beginning, such as remote wipe for situations where user devices are lost or stolen or for when individuals leave the company. Also, the IT services offered or supported via the BYOD plan should be well vetted from a security standpoint, including email, social networking access and VPN.
Ultimately, BYOD is real and growing quickly. Employees are demanding the benefits that BYOD policies bring while IT organizations are struggling to wrap their heads and hands around how to plan and implement BYOD policies. Organizations need to think about the best ways to implement BYOD plans so that the right balance is struck between user convenience and security.
With the rise of cybercrime and cyber-warfare, security is more important than ever, and with the increase in personal devices on the corporate network, IT must be ever more vigilant when bringing new policies such as BYOD into the fold. Though BYOD has many benefits for users, and it definitely increases productivity, it should not be ignored by IT but rather subject to thoughtful planning, with risks identified early based on the organization’s business strategy. Sometimes a limited BYOD policy is better than none – but security is the key to making it work.
About the Author
Alon Israely, Esq., CISSP is a Co-Founder of Business Intelligence Associates (BIA), and for over ten years, has worked closely with IT departments, Corporate Security, Legal, Risk and HR departments to address the legal aspects of Big Data including management, identification, gathering and handling. He has helped create commercial methods for secure and defensible data handling as well as tools and software for ESI identification and data gathering. Alon Israely has a background in IT and a license to practice law.