Ian Evans, EMEA Managing Director, AirWatch by VMware, discusses strategies for ensuring that BYODs at the workplace are non-intrusive and firmly secured.
As enterprises accelerate their mobile initiatives and as the world approaches 1.3 billion mobile devices, Bring Your Own Device (BYOD) continues to be a top choice due to the flexibility and ease of use for end users. According to leading industry analysts, BYOD is an alternative strategy that allows employees, business partners and other users to make use of a personal mobile device to have access to enterprise applications and corporate data.
While employees enjoy the convenience of one phone for corporate and personal purposes, BYOD can be a major headache for IT. With operating system (OS) updates nearly every 15 days and new phones still coming into the market (such as Amazon Fire), BYOD is a complex, ever changing challenge for IT managers.
Since BYOD adoption has become an inevitable part of many organisations’ enterprise mobility strategy, businesses should approach this trend from an enablement perspective. All processes, such as the procurement, enrolment, management and decommissioning of devices, should be as simple and easy as possible.
Position BYOD as a perk: BYOD offers employees the choice to work how they want, on the devices they choose (or the ones they already have). To both the employee and employer’s benefit, employee devices are likely to be customised with apps and productivity tools that users have already identified as helpful. Playing up the flexibility and choice BYOD offers will help enable the scheme to be perceived as one that enables employees to do their jobs more productively and more efficiently.
Prepare for the influx in terms of both network architecture and management. IT personnel must ensure their network architecture can handle increases in Wi-Fi traffic. They must also ensure their existing mobile device management platform can scale to accommodate management of employee devices. If IT has already invested in an enterprise mobility management solution, they should ideally be able to leverage existing policies that have been developed for corporate devices, extending the necessary policies, apps and content from the same console.
Find a solution that can keep up with the market: As previously mentioned, mobile operating system updates are released nearly every fortnight on average and new devices are introduced frequently. Each new device type or OS update is a chance for a potential security vulnerability to arise. Find an OEM-agnostic provider that can provide same-day support for all major device types and operating systems. Evaluate which devices and applications are necessary to support the business and then look at ways of enabling just those in a secure way.
For example, instead of attempting to support every mobile operating system, organisations should create enrolment restrictions to limit the number of specific device types, allowing employees to choose up to five or six of the most popular, and standardise on supporting only those.
Establish clear BYOD policies and Terms of Use: BYOD policies can help employees opt in by outlining both the risks unauthorised access poses and the benefits BYOD schemes provide. The BYOD policy should clearly define the rules of the scheme, in accordance with government regulations and company security policies. It should also clearly outline what IT will be able to see and manage on personal devices, so there is no fear of personal data being compromised or exposed.
Before releasing the scheme company-wide, IT departments should get executive-level buy-in and input from a variety of departments to ensure all concerns are heard and all needs are met. Privacy is a major concern for many employees and may be a hindrance to enrolling in BYOD deployments. The Terms of Use should keep GPS location, personal user information and telecom data private, while protecting the device from a full device wipe or remote control.
Offer assistance: With BYOD, IT departments take on a new role as a consultant. The influx of personal mobile devices into corporate networks – and the cloud-hosted data they access – has fundamentally changed the way people work, and by extension, the way IT departments operate. Providing access to multiple device types – and often to multiple devices per user – creates a myriad of new challenges for IT departments. IT departments managing BYOD programmes are also routinely asked to troubleshoot on a much wider range of devices. Be sure your department is prepared for the influx and diversity of requests from the users.
When tackling mobile security, businesses should aim to make it simple and empowering. The easier it is to securely use mobile devices, the less likely the risk of employees finding workarounds to evade the company’s approved policies and procedures.
By enabling a BYOD scheme, or taking a hybrid approach, enterprises allow employees access to corporate resources from anywhere, increasing productivity and driving employee satisfaction. Securing employee-owned devices and supporting different mobile platforms, however, can create complex issues for IT departments.
Data security and compliance: Organisations that embark on a BYOD journey need to enable this type of deployment without sacrificing the security needs of IT. While BYOD can enhance productivity and employee satisfaction, it can also intensify certain risks associated with mobile device use. How a company implements a BYOD scheme can either mitigate or aggravate these risks. Tools such as network access control integration, VPN and app tunnelling can enable organisations to grant access based on compliance, provide access to internal sites and secure mobile communication with enterprise networks.
Address privacy concerns: Businesses need to mitigate risks that are presented when employee-owned devices start accessing corporate resources. An important part of empowerment is education, which includes ensuring employees are aware of security threats and potentially risky behaviour. Businesses that allow BYOD schemes need to configure policies to prevent data collection from personal email, content or applications on an employee-owned device.
With custom Terms of Use agreements based on user role, organisation group and device platform, organisations should clearly inform employees about data that will be captured and what they are allowed to do with the device.
To avoid any privacy concerns, employees need to be informed that GPS location, personal user information, non-business applications and telecom data would all remain private, and that employee-owned devices would be protected from a full device wipe or remote control. This is mutually beneficial, because enabling users to manage devices themselves can reduce the pressure on IT administrators, and encourage user responsibility for how the device is used.
Additionally, containerisation constitutes a viable data-centric security and privacy option. Whilst it ensures the separation of corporate and personal data, containerisation also provides companies with enterprise-grade security for corporate resources and applications that are pushed to a device. Businesses can put all the work-related data in a container that is isolated from the operating system and personal data. This makes it easier to control and secure work-related data and applications, and enables businesses to wipe all business-related data without affecting anything else on the personal device.
By creating a containerised enterprise application repository, organisations can manage enterprise applications and data without having to manage the entire device. In this way, companies can protect their enterprise applications with user authentication, data encryption, app-level policies, compliance monitoring and management.
Removing corporate resources: When an end user un-enrols or leaves the company, administrators can perform an enterprise wipe to remove access to corporate email, Wi-Fi and VPN. Administrators can also remove internal apps and corporate content from devices upon end user departure without affecting personal data on the device.
Key takeaways for outlining a BYOD strategy:
- Take a user-centric approach first to understand specific mobile use cases within your organisation
- Understand the key mobile risks that affect the organisation and its constituents
- Incorporate key business drivers and objectives
- Implement security controls through both policy and technology
- Enable the adoption of new innovations and embrace change
* This article was first published in Inside_Networks_ME. To read the full edition please see https://www.joomag.com/magazine/inside-networks-me-january-2015/0187363001420979680?short
Click below to share this article