The bring-your-own-device (BYOD) revolution isn’t coming soon. It has already swept through the enterprise and is firmly entrenched. Users want to work on a device that has a user interface that suits them, that gives them seamless access to their personal contacts and data, and, let’s face it, that looks cool.
There are risks associated with bringing personal, consumer-grade devices into the corporate network. Employees could be offloading company data into their own smart phones, tablets or laptops; that data can be exposed through the loss or theft of a device, with the possibility of huge privacy and security fallout. Users could download apps that compromise the security of their devices, exposing the enterprise network to exploitation. It’s critical that you have a corporate BYOD strategy.
Here are two strategies that don’t work:
- Insisting that users keep their personal devices off the company network.
- Not having a formal BYOD user policy.
It seems, though, that most enterprises are going with the latter. An August 2014 study by Software Advice found that only 39 per cent of companies had a BYOD policy. That same report found that more than half of employees had downloaded company files to their devices, and only 49 per cent regularly installed security patches and updates.
So … what goes into a good BYOD policy, one that will minimize your enterprise’s exposure to liability and compromise?
Data handling may be the most critical. Ideally, company data should stay on the company network, but that’s a practical impossibility—without it, people can’t do their jobs. Any data that leaves on a personal device must be encrypted.
Devices must be secured by a password of a particular length and strength. Only approved apps can be installed. Device operating systems must be kept up-to-date. And a policy must spell out exactly what the consequences are for contravening these conditions.
You can see the problem here, right? All these conditions assume compliance by the user. The IT department can’t go around checking every device. So there’s more to a strategy than just policy. There’s also policy enforcement.
That’s where a mobile device management (MDM) solution can help. An MDM solution can monitor, secure and support BYOD users over the air. It will push out security updates and patches, or poll devices to make sure they’re up to date, quarantining them if they aren’t. It can distribute applications. Used in conjunction with a custom enterprise app store, you can also make sure only approved apps are installed. And in case of loss or theft, an MDM solution can remotely wipe device memory.
Another technology that can be used in conjunction with MDM is virtual desktop infrastructure (VDI). In a VDI environment, applications and data actually live on a data centre server, not the end user device. The smart phone, tablet or laptop essentially becomes a thin client—the data and processes never leave the data centre. When the device isn’t connected, the data and applications aren’t available.
Provisioning of devices is another element of a BYOD strategy. There are several approaches: You can leave the selection and purchase of the device entirely up to the users, allowing them to use devices they already own; you can subsidize the purchase of approved devices; or you can supply them to the users, giving them the option of a number of different devices. There’s an obvious advantage of comfort and control with the latter two approaches, as you’re dealing with the devil you know.
Whatever approach you take, one thing is clear: not having a BYOD strategy is not an option.