Running a successful Bring Your Own Device (BYOD) scheme
IT security departments have recently been doing pretty good impressions of King Canute trying to hold back the waves of personal devices that are being brought into office environments. Whether you have an official Bring Your Own Device (BYOD) initiative or not employees are bringing their iPads, iPhones, Android devices and even laptops to work and using them on your wireless networks. This creates a conflict between an employee’s desire to have a single device for both business and unrestricted personal use and the IT departments need to manage these devices in a secure way.
This surge in consumer mobile device usage is no better illustrated than in the relative fortunes of Research in Motion (RIMM), the makers of the previously ubiquitous Blackberry hand held business devices and Apple. Whilst the share price of Apple (AAPL) has increased by over 100% in the last 2 years, RIM’s has decreased by over 50%.
From an employee perspective this is good news as they are no longer forced to use the device that their employer chooses. In fact it appears that companies in the US and Europe are rushing to adopt a BYOD scheme of some sort. Cisco surveyed 600 IT and business leaders and found 95 percent of respondents are allowing employee-owned devices in the workplace. A similar survey from BT found that 82 percent of companies across 11 countries allow their employees to bring their own devices to work, or will do so within the next two years. Lastly Aruba questioned almost 800 IT and networking professionals across the EMEA region and found that 69 percent of organisations allow some form of BYOD. Interestingly, however the Aruba survey also found that just 22 percent have more than a quarter of their employees currently bringing their own devices indicating that although there is widespread acceptance of the schemes not all employees are currently taking advantage of it. This suggests that there is still a long way to go before the potential of BYOD is fully realised and potentially more worryingly the security issues that BYOD schemes cause may be yet to manifest themselves.
So why are companies so keen to adopt these schemes? What exactly are the benefits?
Let’s start with the benefits for the employer. The most significant of these is that a well run BYOD scheme shifts costs to the user, with the employee paying for most of the costs of the hardware, software, voice or data services, and other associated expenses. This saves the company significant amounts of money; for example Cisco estimates a company can save between $300 and $1,300 annually per employee, depending on the employee’s job role. More interestingly perhaps is that most employees appear prepared to accept these costs. The Good Technology State of BYOD Reportfound that, “50 percent of companies with BYOD models are requiring employees to cover all costs — and they are happy to do so.”
So what is it that the employee gets out of this new relationship with the IT department? Essentially it is simply that they get to use the devices they prefer and are consequently happier because of it. A knock on affect of this is that as these devices tend to be more cutting edge than the typical company supplied laptop or phone the organisation gets the benefit of the latest features and capabilities. Employees with their own devices will also tend to upgrade to the latest hardware more frequently than the generally slow upgrade rates of most companies. Lastly as the employees own their devices they are more likely to look after them meaning less broken or lost devices and consequently less lost productivity.
Running a BYOD Scheme
If you were thinking that this all sounds too good to be true then you would be right, at least from a business perspective. A BYOD program introduces critical risks and questions that need to be addressed for the employer. These can be categorised into the three following areas:
1/ Safeguard Enterprise Data
Companies that fall under compliance mandates such as PCI DSS, HIPAA, or GLBA have requirements related to information security and safeguarding specific data and these rules must still be followed if the data is on a device owned by an employee. Even if you do not have these mandates you will have your own ideas as to what is appropriate use of your devices on your corporate network. The question for you will be how do you enforce appropriate use policies on a personal device? In some cases you may find that it is approrpriate to exclude systems and personnel from your BYOD scheme because of the compliance issues.
There are also issues when personal devices are lost or stolen. How do you effectively wipe confidential corporate data from a personal device in these circumstances?
Lastly when an employee leaves the company (for whatever reason) removing company data can be a problem.
2/ Device Management and Support
Companies often struggle with Asset Management of their own devices and therefore effectively tracking and managing “allowed” personal devices adds another dimension to this management issue. Even when this is managed successfully the issue of what is installed on these devices and whether they are up to date in terms of critical security patches (especially for laptops) is crucial to the security of your corporate networks.
From a support point of view there are 2 major issues you will need to think about; firstly what level of support does your IT department offer across the increasing number and types of new devices and secondly how does your department differentiate allowed BYOD devices from rogue devices.
3/ Mobile Application Management
The last major question is how to securely distribute corporate mobile applications to personal devices? For some companies this is not currently an issue but as mobile devices become more ubiquitous your own applications will be more and more likely to be available as mobile apps.
Four Steps to a Successful BYOD Scheme
Step 1 – Define the scope of the scheme
The first thing to do is to define exactly what you want the scheme to consist of. To do this you will need to answer the following questions:
- How widespread will your scheme be? All of the company or just a sub-set?
- Will the scheme simply allow employees current devices onto your network or aim to replace the current corporate devices with employee owned hardware and software?
- What devices will be included in the policy? Laptops and/or Mobile Devices?
- Will you create a mandated list of devices that your employee can choose from (so that you can be confident that appropriate business software is available for) or will you allow a free for all?
- For any new devices such as laptops will you be contributing towards the purchase cost?
- If so how much and how long will this money be expected to last for?
- What happens if an employee leaves? For example if the contribution is £800 and they leave one month later will they be expected to reimburse part or all of the cost?
- Will the employee’s devices be allowed on your corporate network?
- If so will it be using a restricted wireless network or given full access?
- Under what circumstances will you allow them access? For instance will they have to install specified security software first?
- What are the security policies that you must adhere to? E.g. PCI DSS, HIPAA, or GLBA
- What IT support will you offer for these devices? For example will you charge a monthly support fee to these users?
- Lastly what will happen when an employee leaves?
- Will you wipe their device?
Step 2 – Define a Policy
Once you have decided what you want to offer you will need to define a company issued acceptable use policy remembering that you are affectively telling an employee what is or is not, an “acceptable use” of their own laptop or Smartphone. Having said that this is an essential step and you must clearly define a policy for BYOD that outlines the rules of engagement and states up front what the expectations are. You should also define a minimum security policy and mandate a company sanctioned security tool as a condition for allowing personal devices to connect to company data and network resources.
From a laptop perspective the risks are bigger than with tablets and mobiles and you will need to ensure that your security policy includes anti-virus, anti-spyware and firewall software either supplied by you or verified by your security product.
In the event that a worker is let go, or leaves the company of their own accord, segregating and retrieving company data can be a problem. Obviously, the company will want its data, and there should be a policy in place that governs how that data will be retrieved from the personal laptop and/or Smartphone.
Lastly you will need to think about your general security policies and the sanctions that are taken for breaches. For example if a non-authorised device is attached to your wireless network (which you should start to monitor) what is the action that is taken?
IBM has its own BYOD scheme. In this plan they have issued a series of “secure computing guidelines” to employees in an effort to raise awareness of online security and the sensitive nature of corporate data. So far, about 120,000 users are accessing IBM’s network through mobile devices, and of that total, 80,000 are supplying the device and paying the monthly service fees. The remaining 40,000 are using smartphones issued by IBM. Employees who want to use their own devices have to agree to IBM’s policies, which notably include a clause that their device be wiped once they leave the company.
Step 3 – Ensure you have the products to meet the policy
There are several security products available however you will need one that has the breadth of coverage to manage all types of devices from laptops and smartphones to tablets. From an asset management perspective it would be advisable to use the same tool to manage your existing desktops and servers so that you can differentiate employee owned devices from company assets in a single report.
Without wanting this blog to sound too much like an advert, a product that meets all the requirements is IBM® Endpoint Manager for Mobile Devices (MDM). This product provides a completely integrated approach coupled with real-time visibility and control over all devices employees use in their daily functions. This can provide security policies (including selective device wipe) and compliance checks on all your devices and also supply the core protection needed on laptops. Additionally as it works from a single console you will get a consolidated inventory of employee and corporate-owned devices.
The product splits into modules so that depending on the gaps in your current solution you can purchase the product to meet the gaps that you have:
- Mobile Device Management – Detect security threats, such as rooted or jailbroken devices, and automatically take countermeasures. Automatically identify non-compliant devices and selectively wipe only corporate data such as calendar, email, contacts and enterprise-managed applications when a device is lost or stolen.
- Core Protection – Protect physical and virtual endpoints from damage caused by viruses, Trojan horses, worms, spyware, rootkits, web threats and their new variants.
- Data Loss Prevention – Create and apply device control policies to regulate access to external storage devices and network resources connected to computers to help prevent data loss which, combined with file scanning, helps guard against security risks.
- Patch Management – Detect and deploy patches to avoid known vulnerabilities of un-patched systems which are targets for viruses and malicious code.
It is also worth noting that IBM’s own BYOD scheme as mentioned earlier is enforced with Tivoli Endpoint Manager.
Step 4 – Advertise the Scheme
Lastly you will need to advertise the scheme making clear who is eligible and what will be expected of them in return. Usually this can be performed by sending out an email and creating an internal Wiki page with access to the security, device and finance policies so that the employee can decide with full knowledge what they are signed up for.
So what is the next step?
If you’re not already taking advantage of the BYOD trend, you should definitely consider it as you can be sure that your employees may already be bringing their devices to work whether they are authorised or not. IBM CIO Jeanette Horan had exactly this issue. She said, more iPhones and other devices began cropping up in the workforce, and IBM decided it was time to get in front of the issue. “If we didn’t support them, we figured they would figure out how to support [the devices] themselves,” a no-no given the amount and nature of corporate information potentially at risk.
Unlike a lot of IT initiatives a “Bring Your Own Device” project should have a quick Return on Investment (ROI). As Cisco pointed out you can actually save money running a well run scheme.
Risk Free Mobile Device Management
Orb Data has a Mobile Device Management as a Service solution. This provides customers with a 2 to 3 month plan to have Mobile Device Management provided as a service on selected hardware. This can either be provided completely in the cloud using IBM’s SmartCloud or using your own hardware. This has the following advantages:
- You get help from Orb Data’s experts in setting up your BYOD initiative.
- There is no upfront cost – simply a monthly payment based on the number of devices you have.
- Over the course of the trial you can decide whether the BYOD scheme is something you want to pursue.
- At the end of the trial period you can buy the software, carry on with the monthly payments or simply end the agreement, the choice is yours.
If you are interested in running your BYOD scheme or want to discuss anything in this blog then give me a call at Orb Data on +44 (0) 1628 550450 or email me at firstname.lastname@example.org . You can also follow me on Twitter at @sibarnes2000 and @OrbData.