Education efforts key to successful BYOD programs
While cloud computing and big data are grabbing most of the headlines of late, the Bring Your Own Device movement is still very much alive and giving IT managers plenty to be concerned about.
An increasing number of organizations are adopting formal BYOD policies, hoping to benefit from increased employee productivity. But data security remains a very real concern.
Moving data across a variety of devices and networks puts corporate data at increased risk of leaks or attacks. Several recent studies have shown that nearly half of those organizations that allow employees to connect to the corporate network via BYOD programs have encountered data breaches.
The greatest threat may be what employees are doing with their devices outside the office, whether it involves downloading virus-ridden games, visiting contaminated web sites or backing up sensitive corporate data to a public cloud. And if the organization doesn't have visibility into employee activities, it faces a major challenge in assessing how, when and where corporate data may have been exposed.
Another major mistake that many organizations make is to confuse BYOD security as a device problem. Instead, it is an education problem, according to Stephen Orban, CIO and global head of technology at Dow Jones & Co., a news and media company.
"We heavily rely on people being good corporate citizens," Orban said in an interview.
As a media company, Dow Jones is all about creating and distributing information. The same goes for its BYOD program. It is critical that employees understand what the data is that the company is trying to protect, Orban says, and what steps may be necessary to do that. Dow Jones requires that any employee that wants to connect a personal device to the network gives the company authority to remotely manage and--if necessary--wipe the device.
Dow Jones has two networks available to employees through its BYOD program--an open one for basic Internet access and a restricted one that enables access to important corporate data.
"The [restricted network] requires total knowledge of what's on your device," Orban said.
Since Dow Jones is part of the News Corp family, BYOD policies initially came from that organization. But Orban says Dow Jones created its own Risk Council to further explore the experiences, best practices and business needs of competitors. Senior managers from each business unit make up the council.
The greatest challenge with creating a BYOD program is to effectively balance rewards and risks, Orban indicates. That balancing act is different for each organization, he says, and takes into account your organization, its industry, the nature of your data, the regulations that impact such a program and the habits and needs of your employees. Communication and education will go a long way in these efforts.
Much has been written about the anticipated benefits of BYOD. These include the reduced cost of providing and maintaining company-owned devices; increased employee accessibility to data and improved productivity overall. All of these are obviously significant benefits.
Orban notes that the desire by employees to use their personal devices--any devices, anywhere, any time--is becoming a "given". Various studies confirm that, with employees saying they feel more productive and are happier on the job when they can use their own smartphone or tablet to help take care of business. It is becoming difficult to find employees who don't take their work home to some degree, further driving the BYOD movement. And some companies are now promoting BYOD programs as a recruiting and retention tool.
But that adds to the problem. The more employees that have access to corporate data via personal devices, the more types of devices are on your network and the more non-company applications that workers are trying to use, the deeper your security issues become. The main culprit, as IT sees it: loss of control.
To compensate, some organizations have adopted BYOD as more of a fluid reality than a formal policy.
"Our BYOD program is more ad-hoc than a true BYOD program," Tracy Nolan, vice president and CIO at Commercial Metals in Dallas, TX, said in an interview. "We wrestle with this. Devices are out there that are a lot better or cooler than what you can get at work. When I started out here three years ago, execs were handing out devices like candy. I saw a need right away to get some security on that."
Nolan said the first step at Commercial Metals was to invest in mobile device management technology. If an employee agrees to download the MDM app on their device, they can participate in the BYOD program.
The most important next step, Nolan said, is communication. That includes explaining to each employee how BYOD would work for them and what potential risks could be to the organization as a result of their behavior. Currently 20 percent of employees at Commercial Metals take advantage of the BYOD policy, Nolan said.
Most importantly, a BYOD policy should be simple and flexible for it to be effective, Nolan said. An organization should also ask what it wants to accomplish with the policy. Goals should include lower costs, better service and increased productivity.
"Make sure the program has the right balance to accomplish all of these," Nolan said. "Make sure you have measures for them, and that you have the ability to change based on what you see."