IT Focus Area: Connectivity
January 2, 2013
10 Steps to a Successful BYOD Strategy
It used to be that businesses drove the pace of technology adoption, but times have changed. Mobile devices have transformed the way people perform everyday tasks, and users are now the first to get the latest innovative technologies. Hundreds of millions of employees around the world own smartphones and tablets. They have come to expect anytime, anywhere access to functionality in all aspects of their lives, blurring the line between personal and professional activities. They depend on their mobile devices for everything from financial transactions to personal connections, and they are bringing them to work.
This trend toward active user involvement is called the consumerization of information technology (IT). Organizations that embrace it can realize dramatic increases in employee satisfaction and productivity. Bring your own device (BYOD) is a strategy that allows employees and business partners to use personally owned devices—usually smartphones or tablets—to execute enterprise applications and access data. It can allow organizations to take advantage of the latest technology features and capabilities, without the pain and expense of a large-scale hardware refresh or software upgrade.
Find out how to secure your cloud data. Get your guide to building a secure cloud strategy.
According to a study by Gartner, Inc., a leading information technology research and advisory firm, 90 percent of enterprises (with 500 or more employees and an in-house data center) had already deployed mobile devices. And many enterprises are allowing personal mobile devices to connect to the enterprise network.
Devices brought in to the enterprise from the outside pose security threats. While companies have opened up their networks to employee-owned mobile devices, many are struggling to ensure data security without unduly burdening users. Aside from the ease with which they can be lost or stolen, most mobile devices are not equipped with PC-level security and management capabilities. They often aren’t properly secured, or are used to access questionable Web resources.
Many employees don’t think about mobile device security or take the needed precautions to protect themselves and their employer. Employees storing confidential information on mobile devices that have not been secured expose their organization to threats that could lead to data breaches. These threats include mobile malware that targets unsanctioned applications, games, unsecured Wi-Fi networks, and Internet browsing on devices connecting to corporate networks.
In its recent threats report for the second quarter of 2012, McAfee reported a 1.5 million increase in malware since the first quarter of 2012, and a malware sample discovery rate that is accelerating to nearly 100,000 per day.
Additionally, today’s mix of mobile devices and cloud services brings up a host of compliance issues, and complicates e-discovery efforts. Many popular consumer-based or free personal cloud services have limited enterprise management and security features, providing yet another avenue for data theft and intrusion. If the company uses Web-based business applications—also called software-as-a-service (SaaS)—for things like sales automation, customer relationship management (CRM), document management and financials, the compromise of an employee or contractor’s mobile device could provide access to vast amounts of corporate data and intellectual property.
The blurring of personal and professional technologies adds complexity to the task of securing corporate networks and data, and IT departments can quickly become overwhelmed. The consumerization trend is extending beyond mobile devices into the realm of bring-your-own-IT (BYOIT), which includes the use of personal applications, network access and cloud services. This can complicate matters even further. Aside from the difficulties associated with managing access to corporate networks and data from a vast array of devices, troubleshooting can be a serious issue in an environment that includes disparate technologies.
Building a BYOD Strategy
Companies without a BYOD strategy are not delaying the adoption of employee-owned mobile devices and personal IT—they are ignoring it, and exposing their business to risks. It is important to examine the issue of personal IT and develop a strategy that ensures productivity and user satisfaction, while also working to reduce risks. Without careful planning, the cost-saving benefits associated with BYOD can easily be offset by increased IT support and security costs, and it can be a chaotic and confusing experience for a company.
It is possible to craft an effective strategy that reduces security vulnerabilities and management chaos, and balances the risks against the benefits of consumerization.
Here’s how to start:
Step 1: Appoint a core team
Appoint a small, dedicated team to take charge of evaluating your current BYOD state, devising effective goals and developing a strategy to achieve them while enabling a competitive advantage for the organization. This team should include members from IT, information security, compliance and the business units who can remain impartial, but have a vested interest in a viable strategy. Consider additional participation from your human resources and legal departments, and possibly outside consulting firms that have a broader perspective of the industry and can facilitate your objectives.
Step 2: Define and align your BYOD goals
To create a viable strategy, BYOD objectives should be defined with a clear understanding of how they align with the organization’s overall strategic goals. A BYOD strategy can only be successful if its goals are tied to business objectives. Your BYOD goals should reflect a balance of enablement, empowerment, security and governance for your organization.
Step 3: Understand how BYOD is used today
Once your overall BYOD goals are determined, the team should gain perspective from members of the various business units, including sales, C-level executives, human resources, and other key departments to determine which personal devices, applications, and personal cloud services are in use today, how they are used, how tech-savvy the users are, and how employees feel these tools enhance their effectiveness and productivity. It’s important to take a positive tone during these discussions, so that users don’t feel threatened with the loss of their rights or tools.
5 Policy Items to Discuss Internally.
Examples of some of the issues to discuss with human resources, compliance, legal and finance departments include:
1. Implications on acceptable use policy.
2. Stipends or reimbursement for the dual use of a personal device. Will the company partially reimburse employees for the cost of the device or the service plan?
3. Labor laws for exempt and non-exempt employees. Hourly employees may claim overtime based on reading email on a personal device.
4. Privacy concerns of personal data. Will the inadvertent remote wipe of personal data make for an unhappy employee?
5. Employee perception of security. Do employees perceive that company security controls hinder their ability to get their job done?
Step 4: Understand your security and compliance posture
Establish an understanding of your organization’s risk threshold by conducting a vulnerability assessment, and evaluating security and compliance requirements. Assess the impact of your current BYOD situation on those requirements. You can consider how the organization deals with remote access from personal computers or laptops to baseline how devices such as smartphones and tablets are being controlled.
Step 5: Start building a strategy
Use the goals you’ve devised and the knowledge you’ve gathered to start building a BYOD strategy. Any IT strategy has to include policy, processes and resources. Policies set expectations by outlining rules and requirements, and identifying how they will be enforced. Processes are activities and tasks that are applied to meet the expectations, and to facilitate the achievement of goals and objectives. Resources—including people, technology solutions and money—are applied to enable the effectiveness of the processes that in turn meet the expectations.
Step 6: Devise a policy
A strong policy clearly indicates which departments and roles may be empowered with BYOD, in accordance with your goals. Which devices, applications, and level of network and data access are permitted for each? What constitutes acceptable and unacceptable mobile device use? It should define password requirements, and determine the steps employees should take to back up and update their devices, and steps to follow in the event of a lost, stolen, or hacked device. It should indicate who can connect devices to the corporate network, how they can be connected and authenticated, what data can and cannot be accessed, which applications are permitted, and the types of data that can be stored on mobile devices. The exception process and penalties for noncompliance should also be addressed.
Step 7: Establish processes
Mature processes will enable the organization to be productive. These processes can aid in connecting disparate parts of the organization. For example, IT should be notified when a new employee begins so that the employee’s mobile device can be enabled. Processes should be developed to implement and enforce policies. Make sure you include processes for provisioning and deprovisioning them when employees leave the company.
Step 8: Acquire and deploy resources
The resource component of a BYOD strategy consists of IT tools and the people who deploy and use them. Certain enterprise BYOD tools can help protect your network and data from vulnerabilities presented by mobile devices. The technologies that are right for your organization depend on your goals and objectives. It is best to not focus on the features and functionality of a specific technology, but rather how its capabilities can help you gain a competitive advantage in the marketplace. Many companies find it beneficial to leverage a vendor independent technology partner in order to test various solutions and find the right fit for their organization.
Identifying the right people to facilitate your strategy is as important as selecting the technology. As the BYOD program is implemented, additional roles may need to be created. Some organizations advocate the creation of a chief mobility officer role to oversee their mobility efforts. At the very least, additional training will need to be developed to inform various parts of the organization about the impact of mobility.
6 Enterprise Tools to Know
Tools available in the marketplace that can help enterprises implement BYOD include:
1. Enterprise mobile device management (MDM) systems and services represent some of the most effective immediate solutions for taking control of your BYOD environment. These solutions can be installed in hours, automating the discovery, inventory and policy enforcement of hundreds or thousands of network-attached mobile devices. These include devices that are authorized and unauthorized, and that operate inside and outside the firewall. One way to get started almost immediately is with a software-as-a-service (SaaS) MDM solution. This can provide both a short-term and long-term BYOD management solution.
2. Enterprise endpoint security suites provide a host of centralized security solutions that extend to mobile devices, including antivirus, anti-spyware, intrusion detection and prevention systems (IDPS), data loss prevention (DLP), vulnerability scanning and application blocking, as well as single sign-on capabilities. Automatic updates ensure that you are up to date with the latest security risks.
3. Network access control (NAC) solutions inspect devices that connect to the network to ensure they are up to date with the latest required security patches and applications. If they are not, NAC tools can download updates automatically before allowing the device to connect. NAC also aids in the onboarding of devices to corporate networks (wireless and wired). More importantly, NAC helps with the offboarding of devices when an employee leaves. This lessens the burden on IT support staff to enable a new employee, and helps secure the organization’s data when an employee departs.
4. Endpoint virtualizationsolutions provide complete separation of personal and corporate computing on the same device by placing each in its own virtual machine. Deploying and managing endpoint virtualization can be accomplished from a single central console, and virtualization can occur either on the mobile device or on a central server when the mobile device connects. This technology is in its infancy, but is likely to mature in the near future.
5. Enterprise-level mobile content management (MCM) and collaboration solutions are good alternatives to publicly available tools. These technologies allow IT to secure and manage mobile access to an organization’s files and data. It allows users to access corporate information on the road without compromising privacy and security.
6. Virtual desktop infrastructure (VDI) offers a technology for accessing an enterprise desktop hosted in a centralized data center. Since data is not stored on the mobile device itself, VDI can reduce the risk of lost or stolen data while providing full access to corporate applications.
Step 9: Educate
No matter how much you try to educate your users about policies and processes, you can only be successful if you achieve buy-in. Policies and processes cannot be effective unless employees understand the reasoning behind them. BYOD education should start immediately when users begin work for your organization, and continue with periodic refreshers. BYOD courses can be held online or in person. One way to help users understand the importance of BYOD policy is to highlight the publicized intrusion and data theft incidents of other organizations resulting from mobile device use. Focus the education on protecting not only the company, but also the employees’ personal information and livelihood.
Step 10: Revisit your strategy
The BYOD landscape—consisting of devices, software and cloud services—is a fast-moving target. Your core team should continually revisit your BYOD strategy. It is important to conduct regular vulnerability assessments and review your policies, processes, resource tools, and education to ensure that they are still effective. This should be done at least once a year; depending on the dynamics of the organization, once every three months may be a more appropriate time frame. Breaches or outages related to mobile technology may necessitate an ad hoc reexamination of your BYOD strategy.
Like it or Not, BYOD Is Happening
The consumerization trend is here to stay, and devices are only the beginning. Employees will soon be bringing their own applications, collaboration systems and even social networks into the workplace. By implementing a comprehensive BYOD strategy that includes robust policies, processes, resources, and education, enterprises can set the foundation for securing corporate data and providing safe, productive access. With well-supported mobility and security programs in place, companies can strike the right balance between security and usability, and leverage the next generation of consumer technology.
Learn the 10 essential steps to securing your cloud data. Get your guide to creating and executing a successful cloud strategy.
View more presentations from Forsythe Technology