What about BYOD?
Your efforts to embrace a mobile workforce must include an effective strategy for handling the BYOD scenario. The BYOD scenario includes more than making your company “mobile ready;” it encompasses all the challenges and opportunities as well as the security risks of variations on the scenario. These variations will be explored in this chapter. Before you delve into the specific challenges involved with BYOD, think about why BYOD has become a “buzzword” and why companies should proceed cautiously when adopting BYOD.
A November 2013 study by Gartner suggested that 20 percent of enterprise BYOD programs will fail before 2016. The study indicates programs will fail because of mobile device management measures that are too restrictive. This study shows that companies are moving towards the adoption of BYOD, but they are restricting access and thereby not necessarily realizing BYOD’s full potential. Managing security is often a delicate balance. If your security policies aren’t strict enough, you’ll put corporate resources at risk. If your security policies are too strict, you might create an environment that becomes a tremendous challenge for the IT department to support, thereby adversely impacting your ROI. If your BYOD security produces a higher volume of help-desk calls from frustrated users, or, worse yet, if users are unable to perform their work, you might find that your organization needs to roll back to previous technology. As a result, BYOD becomes an enemy of the company. For this reason, you must ensure that your organization defines an effective BYOD strategy before BYOD is implemented or deployed.
In October 2014, a CheckPoint survey of 700 IT professionals showed mobile security incidents caused by BYOD had cost each organization more than $250,000 US to remediate 4.
These costs are likely to increase as more organizations adopt BYOD as part of their enterprise mobility strategy—underscoring the importance of understanding the challenges of adopting BYOD.
Understanding the challenges of BYOD
Before you can understand the challenges introduced by BYOD, you must first understand your own business requirements, constraints, regulatory compliance needs, and users’ needs and goals. Unfortunately, this planning phase is often completely overlooked and gaps are found when the next phase—designing the solution—is underway. The best way to mitigate risk is to be aware of how your own company operates. The assumption here is that your company already has a security policy in place. What if that security strategy does not address the security challenges that BYOD introduces to the environment? The same rationale can be applied to your current management infrastructure. What if the existing management platform does not allow users to bring their own devices or does not provide access to company resources?
The industry that your company works in also plays an important role in how BYOD should be adopted. With BYOD, the device contains both the user’s personal data and the company-owned data. This results in unique challenges for each industry. For instance, in a school environment, BYOD can be very helpful; to improving user productivity; however, the challenges can be very unique, as you will see in this section of the book.
There are privacy elements that must be considered for both the individual and the corporation. For this reason, it is very important to involve your legal department when planning the BYOD adoption. Employees must be aware that when they enroll in the BYOD program, the devices that they use might be subject to discovery in litigation. The personal devices they use at work could be examined not only by the employer but by the other party in a lawsuit. Of course, this will vary according to country/region and state laws. As shown in Figure 1-3, the Human Resources (HR), legal, and IT departments should be used as input when you’re creating an Enterprise Mobility Strategy.
FIGURE 1-3 HR, Legal, and IT must review the enterprise mobility strategy
Awareness is an important aspect of BYOD. Employees need to be made aware of any legal risks involved in using their own devices for work-related tasks. For example, when employees travel internationally, their devices might be subject to search or seizure by border control agents. This affects not only the employee and his device but the company as well. Part of your self-assessment for BYOD adoption is making sure that the Legal and HR departments understand these scenarios. In this case, Legal should advise HR of the fact that an employee might forfeit certain rights to her personal device when using it for work. HR should also look for issues related to:
- Off-the-clock work for hourly employees and any potential compensation claims
- Local tax considerations
- Ownership of the telephone number (for a BYOD phone)
The responsibility for the loss of data on an employee-owned device can be proactively managed via policy. However, in a BYOD scenario it becomes more of a challenge. Deleting an employee’s data from a personal device could have legal implications, so your organization should build a solid BYOD policy to protect itself. You should also be aware that some employees share their own devices with family members, and the shared use of employee-owned devices is one of the most pressing BYOD issues. This issue is very difficult to mitigate with policy. An employee sharing a BYOD device with his spouse invites the potential for serious issues, such as corporate data loss or security breaches.
Another BYOD scenario that must be addressed in partnership with HR and Legal is the situation whereby employees sell or recycle their own devices after those devices have been used to access company data. A common policy and technology strategy is to enable remote wiping of the device’s data and require it as a condition of program participation.
The synergy among the HR, Legal and IT departments will help the company to better embrace enterprise mobility and address the challenges introduced by the BYOD scenario. In summary, the role of each department in this process is as follows:
- HR is responsible for developing policies for BYOD usage, selecting the people involved in setting those policies, as well as driving the training and compliance related to policies.
- Legal is responsible for identifying the information that can be accessed by specific individuals or groups and has input into policy development.
- IT implements the policies as directed by the HR and Legal departments, choosing the tools and technologies used to deliver the services, access resources, and protect data.
Understanding the Microsoft Device Strategy Framework
Figure 1-3 introduces the concept of two types of devices: company-owned device and user-owned device. However, there are variations in both ownership and management of the devices that make it necessary to expand the BYOD scenario to include the four core scenarios shown in Figure 1-4. These scenarios comprise the Microsoft Device Strategy Framework.
FIGURE 1-4 The Microsoft Device Strategy Framework
The scenarios shown in Figure 1-4 can be summarized as follows:
- On your own In this model, employees provide their own devices. There are no security policies in place, no organizational management of the device, and any device is acceptable. This is a very open approach, but it presents the highest security risk.
Bring your own device This model includes two distinct variations on policy management:
- Bring your own unmanaged device In this model, employees provide their own devices, but as part of the company policy, the company does not manage those devices. The employees are responsible for implementing and managing company policies on their devices. This is a flexible policy but it presents security risks; some businesses might not have the resources to manage these risks.
- Bring your own managed device This is the most traditional format for BYOD. In this model, employees provide their own devices and the company enforces its policy to allow the devices to access company data. The device is fully managed by the company.
- Choose your own device (also called CYOD) In this model, the company provides a mobile device to employees so those employees can perform their jobs remotely. The company often allows employees to choose from a list of approved devices that are fully compatible with the company’s apps and management infrastructure.
- Here’s your own device In this model, the company has one device approved for the company’s mobile platform and this device is provided to employees.
The landscape for enterprise mobility extends well beyond BYOD; you cannot assume enterprise mobility means BYOD only. There are many more elements that must be covered to completely embrace mobility and enable a mobile workforce. Each scenario has advantages and disadvantages that vary according to company requirements and goals.