Simply Security - News, Views, and Opinions from Trend Micro

Posted on October 3rd, 2012 in Consumerization by Simply Security | Be the first to comment | Tags: Consumerization

More people have been bringing devices to work than ever; companies must make sure they have good policies in place.

By now, most companies have at least heard about BYOD (Bring your own Device) and the risks and benefits it brings to the table. According to a survey released late last month by KnowBe4, approximately two-thirds of companies allow their employees to bring their own mobile devices or tablets to work for business use. Even so, 71 percent of BYOD-enable firms have no explicit security policies or procedures in place, something one security researcher told Network World is a big mistake.

"There needs to be some policy-based level of control, some sort of documentation or contract or rules," Hyoun Park, principal analyst at Nucleus Research, told Network World."Companies can't simply wipe information off lost devices – that wouldn't be legal. There has to be some sort of agreement in place between the individual and the company."

Paul DeBeasi, research vice president at Gartner, told Network World that companies must think about the many facets and issues that may come with BYOD. For example, are people going to be able to connect to the company network through their device or will there be restrictions? Can they store sensitive information on the device? Will the company have something in place to remotely wipe data in the case of theft or a loss? These are all questions that companies must look at, and the CIOs who spoke with the website laid out some key things to consider before laying the tracks for any corporate BYOD program.

Retaining reach

The aforementioned "right to wipe" must be considered, according to interviews in Network World, considering how much information can be stored on smartphones and tablets with assistance from cloud services. If sensitive data is stored anywhere on a device, that means there is a chance for that data to be leaked out. Jack Gold, founder and principal analyst at J. Gold Associates, told Network World that companies must have a formal agreement in place with employees before utilizing such features. Companies could expose themselves to unnecessary legal troubles if they accidentally delete prized personal assets such as photo galleries and contact lists in the remote wipe process.

Assigning responsibilities

Companies must keep in mind what kind of responsibilities employees will have for their devices, the news source said. Some companies will give employees free rein to choose the device they will use and what applications to fill it with. Alternatively, IT teams may feel safer in providing workers with an approved list of smartphones and tablets and a catalogue of whitelisted applications. This is something a business must figure out before implementing any kind of plan.

Payment is another area that will be near and dear to the hearts of employees, as no one wants to feel like they're getting an unfair shake in the quest for extend productivity. Companies need to figure out what kind of payment system they want in place in terms of devices, initial carrier plans and monthly overage charges. Some companies will employ a reimbursement scheme or a flat stipend. But for those that are footing the entire bill with no questions asked, it may be wise to leverage mobile device management (MDM) tools which can provide extra insight on cost optimization.

Is every device allowed?

There are a litany of devices out on the market, but which ones will work best with the corporation? Gold told Network World that companies need to figure out which devices they want running on their network and let employees know their decision in a clear way: "You should tell users why, so they can make an informed decision about the device they choose," Gold said.

Even if companies don't quite have everything figured out at the beginning and want to see how BYOD will work for them, DeBeasi told Network World that there needs to be some kind of plan of action that will get the ball rolling.

"You need to get out in front of this and put some kind of simple policy in place – even if it's an imperfect one," DeBeasi says. "More than anything, BYOD is an experiential thing and not something you can learn by analyzing every possible consideration."

Small Business Computing spelled out some final factors that need to be thought of before BYOD deployment – with employee buy-in leading the list of considerations. This means companies may have to educate their workers as to why they must keep an eye of their behavior through MDM platforms and explain the business rationale. In this process, managers will also get the benefit of reaffirming their initial motives for pursuing a BYOD strategy. With emerging evidence suggesting that BYOD may not help cut costs as much as a company thinks, every aspect needs to be taken into account to make sure firms are moving forward for the right reasons. 

"Outside of the financial strain BYOD may or may not put on an IT department, there is the obvious concern of logistical problems that may arise," according to the website. "The good news is that some smart enterprise-class companies require their employees to handle all IT logistics."

Data Security News from SimplySecurity.com by Trend Micro.