Hot off the trail of being 2014's most mentioned issue "BYOD" continues to menace businesses. We got in touch with Jim Haviland, CSO of Vox Mobile to talk all about the issues that BYOD policies create in business, how to handle those problems, and how to choose between BYOD, CYOD, and COPE.
In a recent survey it was found that 68 per cent of businesses don’t yet have a BYOD policy in place, but just because the business doesn’t have an “official” BYOD policy that doesn’t stop employees taking their work out of the office.
What are the dangers of this and how can they be avoided?
We find similar statistics in our research. The risks come from a number of angles: data security, hardware risk, legal compliance, privacy, support and usability. Many of these issues are not new, but just made more obvious with mobile devices.
Every employee has access to information that their employer would prefer not be shared outside the organization, but we are all more aware of security breaches as more data becomes more available electronically. There is legal precedent for organizations having to pay employees for time spent answering emails on personal devices – even if the employees didn’t have explicit approval to work.
In some states it has become enough that an employer isn’t specifically restricting employees from accessing emails that come in after hours and didn’t have an explicit policy against it, created a situation where back pay and over time were awarded. Ignorance is not bliss and is not an excuse.
Many employees will have multiple apps and services that run on their devices, accessing the data stored there often without any visibility from the user. This passive leakage is rampant as app developers offer “free” apps under a business model where the developer absorbs information from devices and sells it on the market. 70 per cent of developers make their money this way.
A sound BYOD policy would address things like rogue apps and usually includes a requirement for security software to be put in place to limit exposure or at least give employers some visibility into the ever-changing risks.
For now, most companies are only utilizing email and calendar on mobile devices. Eventually, most companies will have apps that help people work more efficiently. Device and operating system standard will need to be in place to make these apps work properly and remain secure.
Any security measure you want to put in place for mobile devices will, undoubtedly, also expose personal information to the employers. You need to have employees waive some of their privacy rights to remain compliant with the changing definitions of privacy and data ownership.
When we do BYOD policy consulting, we are almost always hired by IT but much of the work happens with HR, legal, and compliance parts of the business because BYOD is a management issue more than a technology issue.
Some proponents of BYOD have suggested that it’s close to impossible to make a device secure, but far easier to make how users access the data a secure process. Could you explain this idea further and suggest some ways that businesses can accomplish this?
We see the issue from a different angle. The hardware really isn’t the part that needs to be secured. Ultimately, in a world of mobile and cloud, you want to focus on securing the data and doing so appropriately to the associated risk and balanced with the value of maintaining usability and access.
We suggest that organizations focus on moving towards contextually aware security – a discipline that requires that you understand the value and risk associated with different types of data at an ever more granular level and understand the places where it is valuable. This type of security requires a deeper understanding of the business and operations but it will render a much more efficient form of security.
You want to put a lot of resources around protecting things that are meant to be secrets, like intellectual property, and allow the free flow of things that have little or no risk, like an invitation to lunch. With early BlackBerries, everything had the same military grade encryption on it.
To take full advantage of mobile organizations will have to apply security at the app and data levels and let go of trying to keep the wall around devices.
Interestingly another survey found that half of users would abandon BYOD if the businesses had an enterprise mobility management scheme, COPE (corporate owned, personally enabled) or a CYOD (choose your own device). How can businesses decide which is best for them/ What are the pros and cons of each?
We do a lot of consulting on this topic. We always begin by defining the users and their use cases. If all you need is email and calendar and none of the data involved is very sensitive, a well-developed BYOD program can be a fine choice.
The more companies move to focusing on application success and user experience, the more they can define what the requirements are and the less they care about the cost of hardware. The value return on solving and then optimizing operations that happen in a mobile context are dramatic so device cost and bandwidth become a small part of the equation.
Making certain your employees are properly enabled and supported in not only getting their work done but in innovating their approach to their work – through apps and other services. Companies that have embraced “managed diversity” have found many benefits from this.
We tend to see COPE as the model most likely to balance all the factors – allowing companies to standardize on the things that are important to them but give employees enough freedom to keep them from having to own their own device. If you do this well, the corporate device doesn’t end up in a drawer at night or on the weekends.
[caption id="attachment_102898" align="aligncenter" width="640"]
The gang show off their collection of so-called "draw phones"[/caption]
Lastly, Richard Parris, CEO of Intercede said “The widespread apathy towards company data shown by the report highlights the need for companies to act quickly and robustly to protect their own data or risk major security incidents.”
Do you think this “apathy” is the root of why BYOD has proven so problematic and what are some ways that businesses can implement BYOD safely and securely?
I don’t see as much apathy as I do confusion and competing priorities. We have shown a number of clients that their attempts to lock down devices are thwarted by the leakiness in apps or the willingness of employees to use whatever technology they find to try to get work done.
Most mobile environments are changing everyday, some of it for the better, some of it absolutely dangerous, but there isn’t a clear path to solving the problem from the IT office alone. Effective mobile security looks very different than the architectures of the past and requires an understanding of operations, HR, business cases and other topics that are relatively new to many IT leaders.
Mobility can drive extraordinary innovation and value but it doesn’t get their as an IT initiative with IT problems. Our clients are looking for new opportunities in mobility and recognize that they need to redirect their attentions and resource to focusing on agile, innovative engagement.
By focusing on value creation instead of infrastructure, IT leaders can learn to better balance risk and reward and leave the quickly evolving task of systems management and integration to mobility management-as-a-service providers.
Thanks to Jim for talking to us, you can follow him on Twitter @vox_jim