As a manager you want your team to be as efficient as possible, while protecting both the business and them from security vulnerabilities. With an increasing number of businesses and organisations adopting open culture, employees are enjoying greater freedom and benefits in how they do their job. One of these benefits is the ability to use personal devices for official work.
According to Gartner by 2017, ‘Half of employers will require employees to supply their own device for work purposes’. This is a significant change to traditional hardware provisioning and brings with it benefits to both the business and the employee. This can range from reducing or avoiding hardware costs to the business, to increased employee satisfaction. For businesses that are yet to make the leap, or are attempting to decide how BYOD best fits into their business below are a few basic discussion points.
Are you already a BYOD business?
If you already let your employees use their personal mobile phones or even USB devices for work purposes, then you’re already a BYOD business. If you are a BYOD business, then there are a few things that you need to be aware of.
Benefits of BYOD
“The benefits of BYOD include creating new mobile workforce opportunities, increasing employee satisfaction, and reducing or avoiding costs.” – David Willis, vice president and analyst at Gartner
- Shared costs
Some people prefer different productivity applications to those that are in common use in the business. As they are using a personal device, they are more willing to purchase or share the cost of a purchase as it benefits them directly. The use of personal devices also reduces the cost to businesses as the purchase and maintenance of the device falls to the employee. Employees are less likely to report or escalate issues to the IT helpdesk, which frees IT for more high priority issues.
- Increased employee productivity
Employees that use their personal devices for work can be more productive. This benefit can manifest in a few different ways. The employee might be more familiar with the device platform and software eco-system that on business mandated platforms. I personally am likely to respond to email out of hours, or work on documents as I have easier access to them.
- Employee satisfaction
When an employee can use personal devices for work purposes they benefit from a sense of trust. I know from personal experience that if I can quickly update a document while out with friends instead of going to the office I’m much happier.
Risks of BYOD
As with every positive there is typically a negative. With BYOD those negatives derive from the increased freedom employees have. The main areas of risk I will focus on are Software Asset Management (SAM) and Security.
- Regulatory and legal concerns
Depending on your industry you may be required to comply with various regulatory and legal frameworks (SOX, NIST FIPS, PCI DSS, HIPAA, FISMA)regarding who has access to data you hold, how they access it and how it is stored. Allowing employees have data on personal devices can put you at risk of fines and other legal ramifications. Some of these concerns can be mitigated and controlled, as covered below.
- Increased IT support
If you allow employees to purchase or subsidize the purchase of personal devices, give them a recommended or supported list of devices that you are comfortable with supporting. If an employee decides to purchase something that is not on the list, make it clear that they must then support it themselves.
- Licensing (SAM) concerns
Every vendor has their own licensing metrics and terms; some can be incredibly complicated. These terms can cover everything from secondary use and how and where and application can be accessed from. Make sure to check in advance what agreements you have in place with your existing vendors and double check with any new vendors that employees wish to use. For popular or expensive applications, offer your employees free or open source alternatives e.g. 7-Zip instead of WinZip. Alternatives such as this can save money without introducing risk or additional training costs as the behaviour of both applications is similar
- Security concerns
The most obvious risk of BYOD is the loss of data and the ability for an unauthorised user access to internal systems and services in the event a device is stolen or lost.
The first line of defence to mitigate many of the risks associated with BYOD is a Mobile Device Management (MDM) system. Using correctly managed policies and mandating them on employee devices allows you to protect the business in various ways while still allowing employees greater freedom:
- Encryption policies
Depending on your industry there may be regulatory or standardized requirements on encryption, even if there is not encryption should be enabled by default. On modern devices you can enable either full device encryption or limit it to containerized work applications. This means corporate data and emails are kept separate to personal data.
- Password policies
Enforcing strong password policies is a must, but be mindful of when implementing a password policy. The more complex or restrictive any security control is, the more likely an employee will try and circumvent it. A password that is overly complex, is more likely to be written down or stored somewhere easily accessible. Additionally, requiring a user to regularly change a password can mean the employee picks an easy to remember password. NIST has recently updated their policies regarding password policies, you can read more here
- Establish guidelines for acceptable software usage policy
As an employer, you can establish the right to allow or prevent the installation of certain applications and where necessary remove potentially harmful or unwanted applications. This can range from the installation of antivirus applications, the removal or patching of vulnerable software, to the restriction of games or file sharing applications.
Utilize your MDM include personal devices in regular audits and as part of your overall SAM solution. This will help identify potential risks, breaches of policy and allow you keep track of your effective license position.
With these measures in place, your business is well on its way to being a safe, secure and open BYOD-friendly workplace.
About the Author:
Jonathan Schnittger is a Senior Software Developer & Team Lead at 1E, a Software Lifecycle Automation company. He is a Certified Secure Software Lifecycle Professional (CSSLP) and a full stack software developer specializing in enterprise grade .Net applications. Jonathan has over 15 years of experience in software development and has worked on a wide variety of applications from mission critical data center monitoring, agent-less inventory solutions, remote deployment software to large scale data warehousing.