Security chiefs reveal the issues behind bring-your-own-device policies...
Increasingly it is staff - and not the IT department - who are calling the shots when it comes to what technology they should use at work.
An increasing number of companies are looking for ways to secure personal devices in the workplacePhoto: Shutterstock
Nearly three quarters of the companies surveyed by security vendor Trend Micro said they allowed employees to use their personal devices at work - a trend known as the consumerisation of IT, or bring your own device (BYOD).
But allowing staff to use their own kit in the office brings with it some major complications for business - throwing up technical, legal and financial issues that need to be tackled.
silicon.com spoke to security chiefs at blue-chip firms to find out their tips on preparing the workplace for consumer devices.
1. Assume all devices are insecure
A major concern for businesses thinking about letting staff use their own personal devices at work is that these devices are insecure. For all IT managers know, that shiny new tablet could be riddled with spyware that will suck up corporate data.
Mark Brown, chief information security officer for brewer SABMiller, said businesses can tackle the unknown threats that might lurk on personal devices by treating all devices that connect to their IT infrastructure as a potential risk.
"You assume that all these devices are insecure and rather than saying, 'I'm not going to use them', you change the ways you provide these devices with access," he said.
Brown said there are a variety of ways companies can protect their corporate IT infrastructure against insecure devices. These include setting up network access control technology to authenticate users connecting to the network and to check whether devices connecting to the network have antivirus software and are patched against security vulnerabilities. He also recommended creating a sandboxed virtual desktop infrastructure that keeps corporate data and apps separate from the user's device, and using data loss prevention tools that protect data as it is moved between corporate systems and user devices.
2. Be prepared to lose control of your IT
The days of IT being able to control the nitty-gritty of security settings on every device is over once staff start bringing their own tech into the workplace.
IT staff no longer have...
... guaranteed control over patching the latest security flaws and setting security policies that determine issues such as how long it takes for a device to lock itself when it is left unused.
This loss of corporate control means responsibilities have to be passed to the employees, and it is the company's job to help educate them.
SABMiller's Brown said: "There is no easy answer. It's all about user awareness. You have to engage with the user so that they understand their role and responsibilities."
The sheer range of different devices that employees can choose to bring into work can also cause a problem when it comes to providing helpdesk support.
"Helpdesk haven't got a clue if it's a not a Wintel device. They have grown up for the past 20 to 25 years in Windows. The moment you give them something that's not Windows, they don't know what to do with it," said Brown.
And because helpdesk staff will need to be retrained, supporting the proliferation of different devices on the consumer market can quickly become expensive, said Cesare Garlati, senior director of consumerisation and mobile security at Trend Micro.
To keep helpdesk training costs down, Garlati suggested limiting the types of devices and the nature of the problems that can be supported by a business' inhouse tech team.
3. Get staff to surrender control of their devices
If staff want to use their personal devices at work, they may have to be prepared to hand over some control of their device to the business.
John Whitehill, head of security and continuity at Standard Life, said staff had to be willing to give their employers power to do things such as remote-wipe their phone in situations where the device goes missing.
"I don't see any approach where the user doesn't have to be open to flexibility with their device," he said.
"We have an obligation to protect our data and you have an obligation to help us protect it."
Whitehill said the company was looking to apply standardised security policies to consumer devices, that would mandate behaviour such as password-protecting devices.
"We are having to make sure that we retain a degree of assurance on what the device is being used for, so we have a security build standard for those devices," he said.
4. Ask how will it impact the rest of the business
Consumerisation of IT blurs the boundaries between what is...
...personal use of IT and what is business-related use of IT. For this reason, the implications of letting staff use their own kit at work need to be considered by more than just the IT department.
When deciding what approach the business should take to the consumerisation of IT, "HR and legal need to be involved and you need to engage with them early", according to SABMiller's Brown.
"You need to ask, 'How do we change our acceptable use policies, data use policies and data protection policies?'," he said.
The idea of who owns data on a personal device and how to avoid infringing personal privacy while still protecting corporate data is also being examined by Standard Life's Whitehill.
"There are a lot of issues about how an organisation could interrogate a personal device," said Whitehill.
"Say we need to interrogate a device for auditing. Clearly we would have the ability to do that on a corporate device, but from a legal and data-protection angle we have to consider how we do that when a device is owned by a person?"
5. Start small
It pays not to rush consumerisation of IT. Letting staff use their own devices at work brings with it a multitude of legal, financial, HR and technical issues that need to be addressed and worked through over time.
The complicated nature of the shift means most businesses start small - letting a select group of users start using personal devices for work - before rolling out the practice to the rest of the business.
Whitehill said Standard Life has let a group of about 24 senior staff use a mixture of Apple iPads and BlackBerry Playbooks at work. The insurer will address issues that emerge among the trial group before widening the consumerisation policy to the rest of the company.
"We have a good handle on a small population of users and they are helping deal with moving this forward," said Whitehill.
SABMiller has a mix of personal iPads and iPhones used by its 72,000 staff, with Brown estimating that there are about 1,000 iOS devices in use within its global workforce.
"We have to think outside the box about embracing modern devices and technology to enable our business, and therefore it's only right that we should look at consumerisation and how we deploy it," said Brown.
"What we've found at SABMiller is the predominant demand is at the junior and middle-management level."
Brown said the company plans to allow for a significant increase in the number of staff able to use consumer devices at work over the next two to three years.