Many corporate leaders love BYOD, telling employees "Bring Your Own Device" to work, and with good reason.
When employees use the device they're most comfortable with to get their work done, they get more done faster. They will work from home, during their commute, and most any time they feel the need to. Beyond getting more and better work from their employees, employers eliminate investments in computing and communicating devices and may eventually even reduce their physical plant costs as more employees work remotely.
BYOD is a double-edged sword
These great advantages to the corporation come at a price that must usually be paid by the IT department, as they grapple with letting a variety of devices onto the network while still maintaining tight security and control.
They are also confronted with balancing the employees' desire for ease-of-use while still protecting the corporate network and data. Most security measures require extra steps on the part of the user, and that's what mobile users tend to avoid most.
The IT manager's best friend
The IT manager's surest path to success is paved by a well-constructed and consistently enforced corporate BYOD policy. Let's focus on some practical considerations around end-user devices that should be included in every BYOD policy:
- Approved devices
While the goal is to provide any user access with any device, this may not be practical from a support or security standpoint. If you know there are devices that cannot safely access your network, forbid them in your policy as well as in your network access control measures. Similarly, you'll need to state what levels of support your users can expect from you vs. their own provider. You may, for example, limit your support to devices on major platforms like Android, iOS, and Windows 10.
- Approved applications
One of the technical issues you have to consider is "containerization" of personal data and apps separate from corporate data and apps. If you don't have this kind of isolation set up, you must be very clear about forbidden apps. A whitelist of approved apps is the smartest approach.
- Device ownership
In a BYOD strategy, it is anticipated that the employee owns their own device and is responsible for its service contract. Some companies may elect to reimburse the employee for part or all of the monthly expense. A clear and detailed agreement must be signed, stating the rights and responsibilities of both parties around usage and handling of corporate and personal data and applications. Put measures in place for wiping the device remotely, if it's lost or stolen. Make sure you have a clear onboarding and reclaiming process for personnel changes. Many of these concerns are diminished when the company owns and maintains the device.
- Tech support
While you clearly will be supporting your corporate apps, exercise care when announcing your BYOD service and support strategy. You'd like to be able to support all apps on all devices, but this is likely impractical. Take your support budget, staff, and reasonable expectation of turnaround time into account. You must also consider that, if employees take devices home, they may be used or damaged by family members. Again, some separation of personal from professional use is best when determining how each device will be supported. Put it in the policy!
- Authentication and authorization
Users don't mind entering a PIN or pattern keycode to unlock a device. Imposing two-factor authentication just to use the device may be seen as overkill. If all corporate apps and data reside on your servers, this may not be an issue; simply require the second factor when logging into the network. Users may still balk, but you must balance their ease of use against corporate security.
- Remote wipe
When a device such as a smartphone or tablet is lost or stolen the cost of the device is negligible compared to the cost of corporate data on the device. The usual solution is to send a "kill code" and wipe out all content on the device. In a BYOD environment, it is important to remember that you may be wiping out all personal data on your employee's device too. While you may not be legally responsible for their content, it will impact employee morale if their data is at your mercy. Remember also that remote wipe can be easily defeated by disconnecting the device from the network or Internet, so employees should know to contact your IT department the moment a device is lost or stolen.
- Virtual desktop
A virtual desktop interface on your users' devices allows them to connect to your network, with the applications running on a network server. The user sees the screen and can send keystrokes and mouse movements, but no application other than the VDI is running on their device and no data is transferred. Since no corporate data resides on the user device, there is far less exposure for the company. Many IT professionals have been working on methodologies to "containerize" and isolate corporate data on the device, but VDI seems to present even less risk.
Each user device must be able to support the company's data encryption strategy. If a device cannot encrypt and decrypt data it cannot be accepted as a BYOD candidate.
Most people think of Emergency Medical Services when they see the acronym "EMS" and they're not far off. By naming their solution Enterprise Mobility and Security, Microsoft has aptly defined the responsibility of every IT manager contending with a BYOD initiative. Enable enterprise mobility that puts information at your users' fingertips wherever and whenever they need it, while continuously assuring reliable security of the network and data.