Empower your mobile workforce
IT security departments have recently been doing pretty good impressions of King Canute trying to hold back the waves of personal devices that are being brought into office environments. Whether you have an official Bring Your Own Device (BYOD) initiative or not employees are bringing their iPads, iPhones, Android devices and even laptops to work and using them on your wireless networks. This creates a conflict between an employee’s desire to have a single device for both business and unrestricted personal use and the IT departments need to manage these devices in a secure way.
From an employee perspective this is good news as they are no longer forced to use the device that their employer chooses. In fact it appears that companies in the US and Europe are rushing to adopt a BYOD scheme of some sort. Cisco surveyed 600 IT and business leaders and found 95 percent of respondents are allowing employee-owned devices in the workplace.
A similar survey from BT found that 82 percent of companies across 11 countries allow their employees to bring their own devices to work, or will do so within the next two years. Lastly Aruba questioned almost 800 IT and networking professionals across the EMEA region and found that 69 percent of organisations allow some form of BYOD. Interestingly, however the Aruba survey also found that just 22 percent have more than a quarter of their employees currently bringing their own devices indicating that although there is widespread acceptance of the schemes not all employees are currently taking advantage of it. This suggests that there is still a long way to go before the potential of BYOD is fully realised and potentially more worryingly the security issues that BYOD schemes cause may be yet to manifest themselves.
Four Steps to a Successful BYOD Scheme
Define the scope of the scheme
The first thing to do is to define exactly what you want the scheme to consist of. To do this you will need to answer the following questions:
- How widespread will your scheme be? All of the company or just a sub-set?
- Will the scheme simply allow employees current devices onto your network or aim to replace the current corporate devices with employee owned hardware and software?
- What devices will be included in the policy? Laptops and/or Mobile Devices?
- Will you create a mandated list of devices that your employee can choose from (so that you can be confident that appropriate business software is available for) or will you allow a free for all?
- For any new devices such as laptops will you be contributing towards the purchase cost?
- If so how much and how long will this money be expected to last for?
- Will the employee’s devices be allowed on your corporate network?
- If so will it be using a restricted wireless network or given full access?
- Under what circumstances will you allow them access? For instance will they have to install specified security software first?
- What are the security policies that you must adhere to? E.g. PCI DSS, HIPAA, or GLBA
- What IT support will you offer for these devices? For example will you charge a monthly support fee to these users?
- Lastly what will happen when an employee leaves?
- For example will you wipe their device?
- If a contribution of £800 is made to a device and an employee leaves one month later will they be expected to reimburse part or all of the cost?
Define a Policy
Once you have decided what you want to offer you will need to define a company issued acceptable use policy remembering that you are effectively telling an employee what is or is not, an “acceptable use” of their own laptop or Smartphone. Having said that this is an essential step and you must clearly define a policy for BYOD that outlines the rules of engagement and states up front what the expectations are. You should also define a minimum security policy and mandate a company sanctioned security tool as a condition for allowing personal devices to connect to company data and network resources.
From a laptop perspective the risks are bigger than with tablets and mobiles and you will need to ensure that your security policy includes anti-virus, anti-spyware and firewall software either supplied by you or verified by your security product.
In the event that a worker is let go, or leaves the company of their own accord, segregating and retrieving company data can be a problem. Obviously, the company will want its data, and there should be a policy in place that governs how that data will be retrieved from the personal laptop and/or Smartphone.
Lastly you will need to think about your general security policies and the sanctions that are taken for breaches. For example if a non-authorised device is attached to your wireless network (which you should start to monitor) what is the action that is taken?
IBM has its own BYOD scheme. In this plan they have issued a series of “secure computing guidelines” to employees in an effort to raise awareness of online security and the sensitive nature of corporate data. So far, about 120,000 users are accessing IBM’s network through mobile devices, and of that total, 80,000 are supplying the device and paying the monthly service fees. The remaining 40,000 are using smartphones issued by IBM. Employees who want to use their own devices have to agree to IBM’s policies, which notably include a clause that their device be wiped once they leave the company.
Ensure you have the products to meet the policy
There are several security products available however you will need one that has the breadth of coverage to manage all types of devices from laptops and smartphones to tablets. From an asset management perspective it would be advisable to use the same tool to manage your existing desktops and servers so that you can differentiate employee owned devices from company assets in a single report.
A product that meets all the requirements is MaaS360. This product provides a completely integrated approach coupled with real-time visibility and control over all devices employees use in their daily functions. This can provide security policies (including selective device wipe) and compliance checks on all your devices and also supply the core protection needed on laptops. Additionally as it works from a single console you will get a consolidated inventory of employee and corporate-owned devices.
It is also worth noting that IBM’s own BYOD scheme as mentioned earlier is enforced with MaaS360.
Advertise the Scheme
Lastly you will need to advertise the scheme making clear who is eligible and what will be expected of them in return. Usually this can be performed by sending out an email and creating an internal Wiki page with access to the security, device and finance policies so that the employee can decide with full knowledge what they are signed up for.
Migrating from Blackberry to iOS or Android?
With the recent spate of bad news about Blackberry and the prediction from IDC that by 2018 their market share will fall to a mere 0.3% it is unsurprising that several companies are reviewing their phone purchasing policies. The big worry for businesses is security and how they are able to secure Android and iPhones in the same way they used to with their old Blackberry devices.
Simply supplying out of the box iPhones and Android devices will not enable you to match the security you enjoyed with Blackberry however this does not mean it is not possible. In fact the same level of security is available but businesses need to look at augmenting their mobile security by buying Mobile Device Management (MDM), Mobile App Management (MAM) and containerisation solutions for their new phones.
Blackberry advertises the following security features which will need to be replicated.
- Strong IT policy enforcement and management (such as securing and wiping a device)
- Secure browser connections
- Application access controls
- Manage work and personal data in a simple, secure way
- End-to-end data encryption
Orb Data can help you with this process. Read more here.
How can Orb Data help?
Writing Bring Your Own Device Policies
One of the most important aspects of any BYOD project is writing the policy document. This document not only provides the security policy that each employee must adhere to but also defines the following aspects:
- Employee Eligibility
- Support Model for Employee owned devices
- Employee Education and Change management
- Legal and Privacy aspects
- BYOD Funding arrangements
Orb Data can help you with your own policy document and so if you would like help don’t hesitate to contact us.
Writing a business case for BYOD
In a recent article on BYOD Deloitte said “A successful BYOD initiative turns risk into a programme of business enablement.” Deloitte
This may be the aim but in reality most BYOD schemes start out of necessity rather than because they are seeking business value. However like most IT initiatives a business case should proceed the official project to confirm funding and to set our the goals and ROI of the initiative.
Orb Data suggests that the following 5 subjects should form the core of any BYOD business case.
- Cost Savings
- Employee Satisfaction
- Understanding the Consumer
- Operational Flexibility
If you would like help writing your business case then please contact us using the form.
Choosing a product
What if you could manage all your users from a single console—one that provides instant visibility into who is connecting to your corporate data and with which devices?
You can. MaaS360 offers scale, control and security across all devices and mobile platforms. Total device management by user, device, application, and across your enterprise is the only way to gain a true 360° view of mobility, so you can take action with just a few clicks.