Ten years ago, bringing a personal computer or phone into the office was almost unheard of. Company-issued phones were the norm, and they weren’t “smart” by today’s standards. It was a rare employee who carried a bulky notebook computer between home and office.
Then mobile phones got smarter and notebooks smaller. IT employees, used to pagers, started experimenting. Executives insisted IT equip them with “the latest,” and the sales teams jumped on board, too. When smartphones and tablets became affordable for consumers, employees wanted to use their own.
Today, BYOD – bring-your-own-device – is almost as common as an office desk phone. That doesn’t mean companies’ BYOD policies are always well thought-out. They present an interesting dilemma for IT and the business.
How can IT balance the need for information security with the demands of internal users?
First mobility, then bring-your-own
In those same 10 years, we’ve gone from a workforce bound to the office to one that can almost do without.
Smartphones and notebooks became company staples. IT issued them to executives and then to the sales force. Eventually almost anyone that needed to work outside the office had one.
IT kept these company-owned devices locked-down, and all was well.
But workers soon tired of these restrictive devices. If they had to carry a phone 24/7, they wanted more choice and freedom. They were willing to buy their own devices to carry the “latest and greatest.” And they did.
There was little IT could do to keep employees’ personal devices out of the workplace. But who wants to carry two phones?
With employees demanding the freedom and employers looking for cost savings, companies gave in. BYOD was born.
In the “traditional” IT world, IT bought, imaged and issued each mobile device. They installed security on them, as well as a suite of “approved” office software.
With BYOD, IT deals with an ever-changing number of devices, all with different OS versions, applications and data. After all, with personal devices, employees can install whatever they like.
The dilemma? Companies still charge IT with securing the company’s sensitive data. How can they do that, when it’s scattered across devices they can’t control?
Balancing security and mobility
The old one-size-fits-all administrative model doesn’t work for BYOD. When the employee is paying the bill, IT can no longer constrain usage to a small set of approved applications. But there are things IT can do to balance security concerns and user demands.
First, a BYOD policy does not have to allow for every conceivable consumer device. Most employees are satisfied if they are given a reasonable choice. For example, the policy might list twenty supported Android and iOS devices. Outside that list, the employee is responsible for supporting himself.
Second, the policy does not have to include every employee. Some employees need frequent access to company information, some only occasional, limited access. Some require none at all outside the office. By creating user profiles, or personas, the business can create groups that require similar access, instead of an all-or-none model.
Finally, IT can use mobile device management (MDM) tools to require passwords and encryption on employee devices. They can also limit other features and installations. The trick is to apply MDM in moderation, without too many user restrictions. If a personal device no longer feels personal, employee adoption fails.
Newer approaches like MAM – mobile application management – attempt to separate work applications from personal ones. And mobile information management (MIM) attempts to do the same with the actual data files. All these can benefit from user profiles describing what data an employee needs and how often.
Technology is fine, but BYOD is about the user
With BYOD, we’re asking employees to buy their own smartphones, tablets and laptops and use them for the company’s benefit. That opens the door to concerns about data privacy.
By adopting smart BYOD policies and mobile device management, IT can balance those security concerns with user access demands. They can:
- Provide support for a reasonable list of devices
- Construct a set of user profiles for group data access
- Adopt tools for MDM, MAM and MIM in moderation
Meanwhile, some of the responsibility for data security lies on these mobile employees. If IT can’t lock down BYOD devices, the individuals must understand and follow security and acceptable use policies.
With restraint on both ends, we can resolve the Dilemma of BYOD.