BYOD is one of the more vexing and difficult challenges currently facing organizations of all sectors and sizes. The challenges are both practical and strategic. They affect the day-to-day work of IT support staff as well as the long-term success of IT in any organization.
The impact of BYOD is so great that, according to an IDC report, it is dampening an already soft PC industry.
Adding to the frustration is the lack of clear standards and best practices. Ask 3 different CIOs about the approach that should be taken with BYOD and you will get 3 different answers.
A Tale of Two Companies
Shell, one of the largest corporations in the world, recently announced that it would move aggressively to a Cloud-first, BYOD strategy in which less than 10% of its 150,000 employees and contractors would use company provided equipment.
To support this move, Shell contracted with IT giant CA to deploy a cloud-based, 2-factor authentication system that will support a variety of devices. Tellingly, CA did not actually have a solution ready to deploy for Shell. Instead they are customizing their CloudMinder platform for Shell’s unique needs.
Shell’s Enterprise Information Security Architect, Ken Mann, explained the rationale behind this strategy at the recent CA World Show in Las Vegas (emphasis mine):
“In about five to 10 years, 50 percent of our staff worldwide will retire. We’re going to have a lot of people turning over, and we want to be able to attract and retain talented and young staff. They don’t want to come into a locked corporate environment.”
Before you assume that Shell’s approach will be the new standard, look no further than IBM who just took the opposite approach to BYOD, as described in a recent article in the MIT Technology Review.
IBM currently provides 40,000 Blackberrys for 10% of its workforce, and allows another 20% to use their own device. However, recent concerns about security risks led IBM to adopt a fairly strict BYOD policy that prevents the use of 3rd Party file sync utilities, including DropBox and iCloud.
Likely a necessary measure on some level, but let’s be honest. How many employees are going to use their personal iPhone for work once iCloud has been disabled? Will any? Would you?
How many employees will run the risk of the IT Department summarily wiping their family photos if any security concerns arise.
There were good reasons for the decision made by IBM, but it will be interesting to see what sorts of consequences that decision will have.
What these wildly divergent approaches suggest is that there will never be a one-size-fits-all best practice for BYOD/BYOA. Rather, organizations must look at their overall strategy and find an approach that is consistent.
One similarity between the approaches taken by Shell and IBM is the need to focus on security.
Information Security Risks
The greatest risk of any de facto BYOD policy is the potential loss and compromise of information. While we are all familiar with examples of mobile devices being stolen or lost and the information leaking out of the enterprise, there is the opposite problem of personal devices becoming a vector into the organization.
Digital Forensic Scientist Jacob Williams recently published an article on his ability to hack his way past an impressive array of corporate firewalls using a homemade Dropbox Trojan. One of our clients recently suffered a nasty virus infection that was delivered via Skype. Email is no longer the only vector into a local area network.
In fact, as email security continues to advance and draw resources and focus, other vectors will likely become increasingly popular. And methods of entry that lie outside of the control of the IT Department (ie BYOA) pose risks that are difficult to manage.
As challenging as it has become to manage Information Security risks, the legal risks provide a far greater unknown. BYOD is so new that there is neither legislated nor case law to turn to for guidance. At this point, we will all just have to wait and see what happens as various cases start to make their way through the legal system and the case law is established.
At the very least, as Attorney Sean Doherty recently wrote for Tech Republic, organizations should assume that any and all devices may need to be provided for discovery in the event of litigation. In other words, from a legal perspective, you should probably assume that if you use your personal device for work, in the eyes of the courts it will be considered a work device and subject to the same legal requirements.
While BYOD is often considered to be a cost-savings policy that can get an organization out of the business of having to procure and maintain expensive hardware, that is not always the case. In fact, CIO magazine recently released a study in which they found that costs went up…and also went down…and in other cases stayed the same.
As with much of BYOD, the Financial Risks can be unique and situational, but should not be ignored.
So wait…what should I do?
Unfortunately, I can’t tell you. There is no “right” answer to BYOD. An effective BYOD policy requires all the creativity IT departments and directors can muster right now. A basic familiarity with with the risks, benefits and strategic impact will certainly go a long way.
We will certainly do our best to keep up with the state of the art here at Community IT…so stay tuned, follow us online and join us for a BYOD Webinar on June 20.
In Minneapolis? Check out this event organized by MAP TechWorks, Making the best of “Bring Your Own Device” also taking place on June 20.