Bring your own device is one of the rare concepts in IT that was conceptualised after it was rolled out. Since mobile phones became omnipresent, employees have been bringing them to the office whether they were a part of their work or not. It’s only in 2009 that the term was first coined by Intel, long after the mobile revolution had well and truly taken place. Since then, decision-makers and system administrators have been playing catch-up, working to better and more firmly integrate employee devices into the corporate ICT ecosystem.
One of the major sticking points for any business embarking on a BYOD policy for the first time is how to square the circle of device security. In a closed system, the system administrator will have near-total control over how and where every device on the network is used. Once you introduce employee-provided devices into the mix, you suddenly have computers, mobile phones and tablets carrying potentially sensitive and financially valuable information being used on insecure and public-access networks. So how to protect yourself?
At CrossPoint, we firmly believe it’s in every business’ best interests to embrace the future and consider how a BYOD policy could fit into their operations. At the same time, information security is paramount, so let us explore how you could build a safe, flexible and open network that keeps your team-members, your system administrators, and your Chief Security Officer happy.
The risks of flexibility
There’s a reason that the dominant paradigm in system administration was ‘security at any cost’ for the longest time. Intrusive security elements like keyloggers, router-level content filters and firm restrictions on what kind of files could be downloaded and accessed were put in place to defend the business’ most valuable asset – its data. These counter-measures were deployed because they were seen as the best possible way to defend data against external access by hackers or internal theft by employees.
Predictably, employees very rapidly get sick of having to ask the system administrator for an admin password so they can open a work-related .zip file. As a result, many businesses have loosened their restrictions in order to remove the number of roadblocks between workers and their goals. In some cases, it’s come on the heels of the realisation that often-hated tools such as social media can lead to an increase in productivity, opening up new ways to collaborate between workers. This has led to internet monitoring software developer WebSpy to suggest that excessive URL blocking can lead to workers feeling infantilised, negatively affecting productivity on a number of levels.
“Depriving the needs of a professional workforce can cause resentment and increase costly turnovers,” they suggested.
“Blocking Internet access also has potential to reduce productivity by complicating or delaying accomplishment of tasks…recent research [by] the University of Melbourne shows that people who do surf the Internet for fun at work…are more productive by about 9% than those who don’t.”
But throwing the switch in the other direction without the appropriate level of planning can lead to disaster for your organisation. Whether because of technical or human error, you could be exposing your company to substantial data leaks, running afoul of data security regulations and a mountain of bad press.
It’s important to be fully aware of the risk that a bad BYOD policy poses, so you can build a good one. The diverse range of operating systems and hardware platforms available to consumers means that a BYOD policy has never been harder to safely implement. Scrypt, a US-based developer of productivity software for regulated industries such as healthcare and lending, noted that BYOD opens up a compatibility can of worms. They noted that the most basic version of this is a lack of a single, unified piece of security software across multiple platforms. Worse, software may exist on multiple platforms, and a decision to adopt may be made on the effectiveness on the device on a handful of devices. Poor-quality ports could expose certain devices on the network to intrusion, giving attackers a trusted entry point to your whole network and – in a worst-case scenario – rendering the entire security suite useless.
Keeping your company safe
So how do you do it right? It’s all about balance. The worst BYOD policies are total anarchy – any device, no safeguards, no oversight – but a close second is an overly-restrictive one that might as well just demand employees use a work-provided device. A corporate network requires a degree of uniformity, and with the range of tools available to system administrators today, you can achieve that without significantly impacting your worker’s recreational device usage. Commonly deployed strategies include mandating a separate user-account for professional usage, allowing administrators a degree of control over one secure are of the phone; mandatory encryption, allowing them to remotely wipe lost devices; and password locking (preferably with two-factor authentication) work-related apps and websites.
Your guiding principal when drafting a BYOD policy should be thinking about what level of security your employees are already comfortable with, or what they could be reasonably pushed to. Nearly every device owner understands the importance of password-locking their device, even if they don’t do it themselves, and many would be able to accept encryption after it’s explained how unobtrusive it is.
If you’re truly looking to build an intelligent, BYOD-friendly workplace, work with the experts. CrossPoint has extensive experience building IT infrastructure and designing policies that balance the needs of the worker and the company. Talk to one of our consultants today and work smarter.