Five BYOD Traps to Avoid

Written by Andrew Jaquith. Posted in Blog Post

There’s no stopping the move to mobile. Gartner expects that by 2015, PCs will account for only 28 percent of Internet-capable devices sold. With this surge in post-PC tablets and smartphones (mostly made by consumer behemoths such as Apple, Google and Samsung), employees are increasingly demanding to use their personal mobile devices to access company information, such as email.

Forrester Research estimates that 65 percent of enterprise employees are already using personal devices for work purposes. Many CFOs are looking to cut BlackBerry contracts and telecom expenses from their budgets by letting their employees foot some (or all) of the monthly bill. This phenomenon is generally referred to as bring-your-own-device, or BYOD for short. For a company with 500 employees, we estimate that cost savings associated with BYOD could add up to $300,000 or more annually.  BYOD is even catching on in the financial services industry, which has traditionally been extremely conservative and security-conscious. We estimate that 50 percent of Perimeter’s banking and credit union customers are currently considering rolling out BYOD programs.

Despite the growing interest in BYOD, it is a phenomenon many IT departments continue to wrestle with. Countless press articles spread fear, uncertainty, and doubt (FUD) about the terrors of BYOD, which doesn’t help CIOs figure out what to actually do. In fact, if I had a nickel for every article on the topic, I’d be rich – but no closer to actually solving the problem.

What these articles don’t tell you is that BYOD doesn’t have to be complicated. The trick to managing successful BYOD programs is to set clear ground rules, create sensible security policies, devise a strategy for navigating the privacy minefield – and know what common traps to avoid, including:

  1. Not having a BYOD policy: Without a formal BYOD policy in place, organizations are unclear about what devices are allowed on the network, and left with an ambiguous set of rights regarding what protections they can reasonably assert over employee-owned devices. What is the company’s responsibility to secure an employee-owned device, or to wipe it if it’s lost or stolen? Who is responsible for repair when the device is broken? Who pays the bill? Without a policy in place, companies will likely act inconsistently on BYOD matters, frustrating everyone from the executive level down to entry-level employees. Even worse, these inconsistent actions could be used against the organization in court.
  2. Over-collecting personal data: If an organization has decided to allow employees to use personal devices for work, it may be tempting to use MDM products to track calls, data usage, browsing habits, device locations, inventory applications and so on. Where this may be reasonable in the world of PCs and company-issued devices — where absolute control over devices is assumed and assured — BYOD is a different story. If employees have to pay for their own devices, they won’t be happy about employers controlling the way they are used and monitoring all of their activities. It cross the Creepy Line. More to the point, it’s not always legal, and aggressive data collection practices usually have unintended side-effects. Many of the data-collection features in MDM will rapidly drain device batteries, which make these policies even less practical.
  3. Treating all devices the same: All devices are not created equal. BlackBerry and Apple iOS are both fairly secure and highly manageable. Android, by contrast, has only a limited number of native security features that can be managed by MDM products or Google Apps. Android is also not a monolith; it is a fragmented ecosystem of many vendors and countless devices – each with its own security capabilities. That makes it hard to know what devices to allow or disallow, and what policies you might need. For example, ask yourself this question: which Android phones support hardware-based encryption? Where would do you go to find out? Because not all mobile OSes aren’t created equal, you can’t treat them all the same. Less secure platforms — I’m looking at you, Mr Google — may need to be retrofitted with additional security software.
  4. Control freakery: Personal devices are just that — personal. Avoid laying down a blanket prohibition on using personal devices for personal activities during work. While it’s generally recognized that employees should keep personal activity to a minimum, it is sometimes unavoidable. Attempts to control personal devices can cause resentment. Requiring a 12-character complex password that must be changed every 30 days was generally acceptable on PCs, but expecting employees to do this on their own mobile devices is far too aggressive. If BYOD policies are too strict, you will be forced to make exceptions, and inconsistency is never a good thing.
  5. Relying on ActiveSync: ActiveSync enables non-BlackBerry devices to access email, calendars, tasks and address lists, and has the ability to implement a handful of security policies. Though these policies can be useful, they are not nearly enough. ActiveSync is implemented inconsistently across different platforms, forcing companies to go a least-common-denominator policy. ActiveSync also doesn’t do much to limit enrollments. Typically, when an organization allows an employee to use ActiveSync to connect to email, the employee is able to register as many devices as her or she likes. That’s not good. Furthermore, ActiveSync doesn’t allow the partial wipes of a device. Instead, when a device is wiped, the whole device is erased. If the device contains something personal photos or music, wiping it could be deeply upsetting. In fact, fear of capricious wipes creates a perverse incentive to not report security issues.

The bottom line: BYOD introduces new risks and operational burdens associated with employee-owned devices in the workplace. But by avoiding these common traps, while applying sensible management and security policies that are grounded in the law and enforced through technology, BYOD programs can be safe, secure and legal.

Interested in learning more? I encourage you to check out my on-demand webinar – The 5 Best and Worst Bring-Your-Own-Device Mobile Policies.

Tags: , ,

Trackback from your site.

Andrew Jaquith

Andrew Jaquith is the Chief Technology Officer of Perimeter E-Security. Before Perimeter, he was a senior analyst with Forrester Research and Yankee Group.

Leave a comment