Mobility

10 BYOD concerns that go beyond security issues

The BYOD trend has introduced a variety of security issues to the enterprise -- but IT has a lot more to worry about than security.

Consumerization of end-user devices in companies is here to stay. This means freedom of device choice for business users and a boatload of security worries for CIOs. But let's not talk about security for a change. What else should you be thinking about if you are IT and must support this avalanche of devices? Here are 10 concerns to keep in mind.

1: Long-range vendor plans

The producers of consumer-grade devices develop their products based on the consumer market. This means that products may not necessarily line up well with enterprise technology planning and integration needs. It is best to support end-user devices from companies that also serve the enterprise market, because these companies understand the requirements and are more likely to develop products that work well in enterprises.

2: Lost devices

Thirty billion dollars worth of mobile phones were lost in the U.S. alone last year. Many companies have rigorous security procedures for mobile devices but forget to enact a lockdown procedure when mobile devices with vital data are lost in the field. Your procedures for mobile devices should include lockdown.

3: Personal and professional use of mobile devices and other technology

A few years ago as a CIO, I found myself in a three-hour board meeting, with the board of directors debating whether the laptop computers they were given and that were purchased by the company should be used only for company-related work -- or whether they could upgrade these devices on their own, let their kids use them, and even secure their own local service providers (paid for by the company, of course).

The meeting caught me by surprise. As a CIO, it seemed natural to me that a board member would understand the importance of keeping company equipment secure and dedicated to company business. Instead, this meeting proved to be a wakeup call. I learned that trying to set policy on personal versus professional use of tech gear can be a real sand trap, especially if your users are board members and C-level executives.

4: Maintenance and procurement

It's important to have proven vendors that you purchase from and maintain technology with. Traditionally, IT certifies vendors based on performance. So when you are opening up your company for a plethora of consumer device options, you should also have a list of vendor purchase and service options that cover the devices and the areas of geographical service within your IT footprint -- and an easy procedure for end users to follow when they purchase or need to maintain a device.

5: Application deployment

As more enterprise IT departments develop applications for mobile devices, they must also test and certify the apps with each device they want to deploy the app on. It's wasteful for the business to repeat this test-and-certify process with an endless list of devices and vendors. IT needs to collaborate with the business so that a short list of acceptable device choices that will run corporate apps can be agreed upon.

6: Patches and updates

With all those diverse devices in the field, it is likely left to IT to ensure that current software is on each one -- and that all devices using specific software are using the same version of that software. Centralized network management software allows for automatic downloadable updates that sync all devices to the correct version of software when they dock onto the network -- and it should be standard equipment on the corporate network.

7: Data ownership

Data ownership is in the same discussion as personal versus professional use of an end device. Data responsibilities should be addressed early in the discussion of end devices and how they will be used within the company. If you haven't already done this, it should be addressed immediately. For the protection of intellectual property and also for purposes of security, governance, and data stewardship, corporate data residing on mobile devices should be safeguarded -- and there should be ways to retrieve it. It is not good policy to store corporate data with pictures of family reunions. This issue of keeping data segregated (along with the risks if you don't do this) needs to be addressed head on with other business executives so you know if you have their unequivocal support.

8: Ruggedized devices

It never fails. You have an employee who works out in the warehouse yard and drops an iPhone on the pavement where it shatters. Or someone goes into a refrigerated storage area and tries to use a consumer-grade device to monitor temperatures and send data back into a centralized warehouse system. Or you get a law enforcement officer who thinks that a standard consumer-grade notebook is good enough for him to use in his squad car.

Unfortunately, there are industrial-strength environments out there where consumer-grade technology just won't stand up. A laptop in a squad car must be custom-built and ruggedized for squad car use. If employees are working in areas where it is likely they could drop a device on the concrete or if they require a device to monitor temperature in a cold environment like a freezer, they will need a special handheld device designed for these tasks. In these cases, IT has to put its foot down.

9: Corporate end-user device policy

To control the propagation of end user devices coming into the enterprise, IT departments that have BYOD policies usually set limits on the devices they will accept and support. This is done by publishing a "choice list" of approved devices that end users must select from. Working with HR, IT also needs to establish the do's and don'ts for data allowable on these devices, personal security practices, who may use the devices, etc.

10: Support of C-level executives

Most important, IT should ensure that key executives in the business firmly and consistently back user BYOD policy. If these executives bring in their devices and blatantly disregard corporate policy, it's going to be hard to enforce the policy at the staff level.

About

Mary E. Shacklett is president of Transworld Data, a technology research and market development firm. Prior to founding the company, Mary was Senior Vice President of Marketing and Technology at TCCU, Inc., a financial services firm; Vice President o...

34 comments
hug.login
hug.login

have slaves ever brought their own chains? Probably not!

DerekBez
DerekBez

Have I missed the point of BYOD? I was under the impression it was where employees use their [b]own[/b] devices to interact with company systems. Sorry Mary, I may have misunderstood where you're coming from, but it seems the list in this article is more about standard BAU issue of company devices. So, for example, in the "ruggedised" point where he warehouse worker drops his iPhone. Bad luck. It's his iPhone. If the company I worked for tried to patch my BYOD tablet, I wouldn't be working there. Or more likely, I wouldn't declare that I had one. Regarding lost devices and data ownership - and to a degree apps - the "simple" solution is not to store any data on employee's BYOD toys. All company systems that you want to have used on BOYD devices should be accessed via the web and never reside anywhere but the company's servers. Employee loses their phone, or leaves the company, no problem with data.

philswift
philswift

BYOD is a ticking time-bomb that will lose the British people security of data. It is also a risk to National Security and Border Control. Lilly livered and weak IT managers did not stand up and argue and educate. Now it is too late and we will see the fallout from this horrendous trend. Any company of any size must have a limited number of hardware devices on an approved hardware list or pay the consequences. Users do not know best; end of; and it's tough love time with hard education policies. The less the better. One phone, one laptop and one tablet/pad/slate/pad on the list. That's it. Any ROI that is attained by BYOD is blown out of the water with increased IT helpdesk costs and data loss. Remember; the amount of data lost to who knows where, is hardly ever reported. Support great design and innovation at home (as in NOT working or downtime) but anything to do with work (stuff you rely on for income and livelihood to feed and nurture your family) forget BYOD. It's like soldiers in the American Civil War turning up with a lovely personalised crafted pistol instead of a Hawken rifle....FFS people..wake up.

andy.fox
andy.fox

Why do we feel that we must bend to the BYOD clamour. Im receiving 4 or 5 emails everyday by some company or other trying to sell me something to ease the pain of BYOD. Im not having BYOD i dont need it and its more trouble than its worth. if someone needs some tech for their job then the company will provide. BYOD, fine but dont expect to connect it to the corporate network and be prepared to FIYS (fix It Your Self)

Deadly Ernest
Deadly Ernest

How far is this BYOD idea going to go. We have people saying I should bring in my own phone, tablet, and / or laptop. OK, what if I want to bring in my own wireless point so I can have wireless in my office and not have my desk tied down by the patch cable? With the BYOD concept I have to be able to do this as a wireless point has no real difference to the connectivity aspects than any of the others do, they all connect by wireless. Thus putting in my own wireless point makes my connecting all these items a lot easier. Naturally, once this is done the entire network is wide open to attack - but then it was once you allowed all the other device to connect in what ever way they could as well.

holdup
holdup

I'd also suggest that anyone who tells you that the idevices are secure because they use the app store - firstly gets a slap, and secondly reads the research papers by Felix 'FX' Lindner who tears apart the apple security model, and has found vulnerabilities as simple as cross site scripting in the search query of the app store...

michaeldonovan
michaeldonovan

While the premise of this article is a good one, it is woefully lacking in any kind of real world content. I could write volumes, but let me zero in one point that seems to not be based on anything except empty platitudes, patches and updates. I hate to be harsh, but did Mary do any research? Centralized network management software allows for automatic downloadable updates that sync all devices to the correct version of software when they dock onto the network — and it should be standard equipment on the corporate network. What is Mary talking about? Consider the phone platforms out there. The bulk of the market uses Androids. The operating systems (at least three flavors) are governed by the carriers. For example Verizon tinkers with the OS on t hier phones so they can lock people out of what would be free features. This way Verizon can charge for things like GPS and sending pictures via email. When you do an update on an Android phone, you are getting the latest release of what Verizon (or other carriers are releasing. ) It’s been my experience that the carrier provided OS’s are always a couple of revs out. The carriers have no incentive for updating OS code unless they get lots of complaints. Even then they drag their heels. So good luck keeping Androids up to date. I-Devices are better. At least there is a single OS per device type out there. And with reporting you can tell if they have updated their phones. Apple even makes a product where you can force updates over the air but the phones half to be at a minimal patch level for that to work. But I would love to know how support works for that. We recently discovered that we have more people connecting to our mail servers with mobile devices that using Outlook. In a 50,000 person company, that can translate to 10’s of thousands of users requiring support for phone updates. So I am glad that Mary wrote the article. This issue needs visibility. But I would love to see more input from IT shops in an article like this.

hforman
hforman

At one point, in the article, it sounded like the author was talking about the business buying laptops and letting the employees put their own stuff on them. This is not really true BYOD. In BYOD, the implication is that the "employee" owns the device and not the company. Here are some things I get concerned about: 1. Remote Wipe Although there is now software available to ONLY wipe business data if the device is lost and leave Grandma's photos alone, many companies (including where I work) insist they have the right to remote wipe an ENTIRE device. 2. Reporting Lost or Stolen Devices This not only applies to BYOD but also to even company-owned portable devices. If an employee doesn't want any record to be of a lost/stolen device, nor do they want a remote wipe, they will tend not to report the device missing. Could be a disaster if company data is on the phone. 3. eDiscovery This is a big one! I agree with what ka5s said about the company having a right to search the device for illegal whatever. The big one is really eDiscovery! With eDiscovery, if the company gets sued, any device that may be remotely considerered relevant to the decision gets "confiscated". That includes your personally owned device and you do not have a way to go around that (there was a recent case where a woman was witholding a laptop with information relevant to her husband's wrong-doing and she lost and had to give up the laptop). No, you don't get to just have someone LOOK at your laptop. They actually take it away. OK, here is how it is going to work in my environment. Anyone using any personal device for company business will have that device removed from the network until they sign appropriate forms. These forms will give the authorization to have the device inspected on demand, reported as a loss immediately, wiped COMPLETELY on demand and surrendered for an indeterminate period if it becomes part of any investigation or legal action. In exchange for what? The owner will receive $40 per month (taxable and pensionable) to cover the business use. The owner will surrender the device for inspection prior to approval and have company security standards examined as wll as mobile device applications loaded (such as Symantec MDM). This whole thing is voluntary on both the department and on the employee. There has to be a pre-existing need for the use of a device by the employee to begin with (you can't just "sign up"). They found that the cost savings was not a lot as some of you might think. The analysis claims that is saves $13 per month per employee (and this stipend plan only covers cell phones, at the moment). Personally (especially since I'm a contractor), I only use my phone at work to hold my boss' telephone number.

Lost_in_NY
Lost_in_NY

to access company apps from personal devices and prevent any local saving of company data. The only mobile devices we support are company-issued Blackberrys and laptops - if you'd rather use your own smartphone/tablet/laptop, you can get to company apps via Good for email or Citrix for email and everything else. If you choose this BYOD then you have to give back your Blackberry but we then give you the same as we were spending for it under the corporate data plan. If you spend more, youi pick it up and the only thing we support is getting Good or Citrix to run on your device. It doesn't save anything, but so far (after a little over a year) doesn't seem to cost any more either.

robo_dev
robo_dev

Lots of banks use the Good Mobile Messaging "Good for Enterprise" solution for BYOD. It's actually better than Blackberry's security model since it's a LOT simpler (therefore more foolproof). Without getting into all the details, data at rest is encrypted, data in motion is encrpyted, it forces strong passwords, has remote-wipe, all the good stuff :) By the way, I don't work for them, but I use the app and have vetted the security of it.

Non-techie Talk
Non-techie Talk

...is about security. I guess it really is not possible to discuss BOYD without talking about security, because security is the 800lb gorilla amongst BOYD issues. However, if you have the ambition to attempt to make a list of non-security-related issues, a little organization of thoughts would have helped: you could have started at the beginning with Procurement, then Ruggedized hardware, then Long range vendor plans, then Maintenance, then Applications, then Updates/Patches, then Data Ownership, and follow accordingly, almost chronologically in terms of the point at which an issue would present itself. I can appreciate having to move at the speed of business, and the democratizing effect of the interweb and all that, but we clearly have not outlived the need for proper editing.

mckinnej
mckinnej

I still don't get this trend. What is the motivation to provide you own device without compensation? Is there a real business need or are we just trying to be cool or hip? If it is the former then BYOD is a dead issue. They should be banned and only company-owned and approved devices can connect to the network. If the motivation is the latter, then bring in your own desk and office supplies. Heck, bring in your own office and your own paycheck while you're at it. You'll have the company's eternal gratitude. See how well that spends at the grocery store.

l_creech
l_creech

If you are in an industry that has to meet state and/or federal compliance rules you pretty much have no choice but to ban BYOD. It is absolutely impossible to make a device which the company does not have absolute control over compliant, and most employees who want BYOD want them because the government has forced IT's hand to the point of making everybodies lives difficult. As for law enforcement, as soon as you enter an airport or other travel terminal (bus, train, ship, ferry) the rules are such that any item in your possession can be fully investigated and/or seized without a warrant. We can thank the continually renewed Patriot Act for that one. Sanitized or no-go is my policy, if I need access to data while traveling I have memorized all my VPN and RDP data so that access is easily attained.

Deadly Ernest
Deadly Ernest

choose not to BYOD? Will they fire you or refuse to employ you? Several years ago I refused to carry my own cell phone at work or to give anyone at work the number, claiming I didn't have one. What was interesting was I was the only member of staff who NEVER got called out of an evening or weekend when I wasn't officially on duty with the official duty phone. If they couldn't reach the duty person, often happened due to poor coverage in the city - very hilly, they picked people at random off the staff list and called them on their cell phones, couldn't do that to me. How would my taking the same approach to this BYOD business affect my employment?

ka5s
ka5s

Add another: The contents may be copied and searched for evidence of anything from illegal music to pornography to bin Laden's orders. Some firms go so far as to issue sanitized laptops for employees travelling on business.

Editor's Picks