Mobility optimize

10 BYOD concerns that go beyond security issues

The BYOD trend has introduced a variety of security issues to the enterprise -- but IT has a lot more to worry about than security.

Consumerization of end-user devices in companies is here to stay. This means freedom of device choice for business users and a boatload of security worries for CIOs. But let's not talk about security for a change. What else should you be thinking about if you are IT and must support this avalanche of devices? Here are 10 concerns to keep in mind.

1: Long-range vendor plans

The producers of consumer-grade devices develop their products based on the consumer market. This means that products may not necessarily line up well with enterprise technology planning and integration needs. It is best to support end-user devices from companies that also serve the enterprise market, because these companies understand the requirements and are more likely to develop products that work well in enterprises.

2: Lost devices

Thirty billion dollars worth of mobile phones were lost in the U.S. alone last year. Many companies have rigorous security procedures for mobile devices but forget to enact a lockdown procedure when mobile devices with vital data are lost in the field. Your procedures for mobile devices should include lockdown.

3: Personal and professional use of mobile devices and other technology

A few years ago as a CIO, I found myself in a three-hour board meeting, with the board of directors debating whether the laptop computers they were given and that were purchased by the company should be used only for company-related work -- or whether they could upgrade these devices on their own, let their kids use them, and even secure their own local service providers (paid for by the company, of course).

The meeting caught me by surprise. As a CIO, it seemed natural to me that a board member would understand the importance of keeping company equipment secure and dedicated to company business. Instead, this meeting proved to be a wakeup call. I learned that trying to set policy on personal versus professional use of tech gear can be a real sand trap, especially if your users are board members and C-level executives.

4: Maintenance and procurement

It's important to have proven vendors that you purchase from and maintain technology with. Traditionally, IT certifies vendors based on performance. So when you are opening up your company for a plethora of consumer device options, you should also have a list of vendor purchase and service options that cover the devices and the areas of geographical service within your IT footprint -- and an easy procedure for end users to follow when they purchase or need to maintain a device.

5: Application deployment

As more enterprise IT departments develop applications for mobile devices, they must also test and certify the apps with each device they want to deploy the app on. It's wasteful for the business to repeat this test-and-certify process with an endless list of devices and vendors. IT needs to collaborate with the business so that a short list of acceptable device choices that will run corporate apps can be agreed upon.

6: Patches and updates

With all those diverse devices in the field, it is likely left to IT to ensure that current software is on each one -- and that all devices using specific software are using the same version of that software. Centralized network management software allows for automatic downloadable updates that sync all devices to the correct version of software when they dock onto the network -- and it should be standard equipment on the corporate network.

7: Data ownership

Data ownership is in the same discussion as personal versus professional use of an end device. Data responsibilities should be addressed early in the discussion of end devices and how they will be used within the company. If you haven't already done this, it should be addressed immediately. For the protection of intellectual property and also for purposes of security, governance, and data stewardship, corporate data residing on mobile devices should be safeguarded -- and there should be ways to retrieve it. It is not good policy to store corporate data with pictures of family reunions. This issue of keeping data segregated (along with the risks if you don't do this) needs to be addressed head on with other business executives so you know if you have their unequivocal support.

8: Ruggedized devices

It never fails. You have an employee who works out in the warehouse yard and drops an iPhone on the pavement where it shatters. Or someone goes into a refrigerated storage area and tries to use a consumer-grade device to monitor temperatures and send data back into a centralized warehouse system. Or you get a law enforcement officer who thinks that a standard consumer-grade notebook is good enough for him to use in his squad car.

Unfortunately, there are industrial-strength environments out there where consumer-grade technology just won't stand up. A laptop in a squad car must be custom-built and ruggedized for squad car use. If employees are working in areas where it is likely they could drop a device on the concrete or if they require a device to monitor temperature in a cold environment like a freezer, they will need a special handheld device designed for these tasks. In these cases, IT has to put its foot down.

9: Corporate end-user device policy

To control the propagation of end user devices coming into the enterprise, IT departments that have BYOD policies usually set limits on the devices they will accept and support. This is done by publishing a "choice list" of approved devices that end users must select from. Working with HR, IT also needs to establish the do's and don'ts for data allowable on these devices, personal security practices, who may use the devices, etc.

10: Support of C-level executives

Most important, IT should ensure that key executives in the business firmly and consistently back user BYOD policy. If these executives bring in their devices and blatantly disregard corporate policy, it's going to be hard to enforce the policy at the staff level.

About

Mary E. Shacklett is president of Transworld Data, a technology research and market development firm. Prior to founding the company, Mary was Senior Vice President of Marketing and Technology at TCCU, Inc., a financial services firm; Vice President o...

34 comments
hug.login
hug.login

have slaves ever brought their own chains? Probably not!

DerekBez
DerekBez

Have I missed the point of BYOD? I was under the impression it was where employees use their [b]own[/b] devices to interact with company systems. Sorry Mary, I may have misunderstood where you're coming from, but it seems the list in this article is more about standard BAU issue of company devices. So, for example, in the "ruggedised" point where he warehouse worker drops his iPhone. Bad luck. It's his iPhone. If the company I worked for tried to patch my BYOD tablet, I wouldn't be working there. Or more likely, I wouldn't declare that I had one. Regarding lost devices and data ownership - and to a degree apps - the "simple" solution is not to store any data on employee's BYOD toys. All company systems that you want to have used on BOYD devices should be accessed via the web and never reside anywhere but the company's servers. Employee loses their phone, or leaves the company, no problem with data.

philswift
philswift

BYOD is a ticking time-bomb that will lose the British people security of data. It is also a risk to National Security and Border Control. Lilly livered and weak IT managers did not stand up and argue and educate. Now it is too late and we will see the fallout from this horrendous trend. Any company of any size must have a limited number of hardware devices on an approved hardware list or pay the consequences. Users do not know best; end of; and it's tough love time with hard education policies. The less the better. One phone, one laptop and one tablet/pad/slate/pad on the list. That's it. Any ROI that is attained by BYOD is blown out of the water with increased IT helpdesk costs and data loss. Remember; the amount of data lost to who knows where, is hardly ever reported. Support great design and innovation at home (as in NOT working or downtime) but anything to do with work (stuff you rely on for income and livelihood to feed and nurture your family) forget BYOD. It's like soldiers in the American Civil War turning up with a lovely personalised crafted pistol instead of a Hawken rifle....FFS people..wake up.

andy.fox
andy.fox

Why do we feel that we must bend to the BYOD clamour. Im receiving 4 or 5 emails everyday by some company or other trying to sell me something to ease the pain of BYOD. Im not having BYOD i dont need it and its more trouble than its worth. if someone needs some tech for their job then the company will provide. BYOD, fine but dont expect to connect it to the corporate network and be prepared to FIYS (fix It Your Self)

Deadly Ernest
Deadly Ernest

How far is this BYOD idea going to go. We have people saying I should bring in my own phone, tablet, and / or laptop. OK, what if I want to bring in my own wireless point so I can have wireless in my office and not have my desk tied down by the patch cable? With the BYOD concept I have to be able to do this as a wireless point has no real difference to the connectivity aspects than any of the others do, they all connect by wireless. Thus putting in my own wireless point makes my connecting all these items a lot easier. Naturally, once this is done the entire network is wide open to attack - but then it was once you allowed all the other device to connect in what ever way they could as well.

holdup
holdup

I'd also suggest that anyone who tells you that the idevices are secure because they use the app store - firstly gets a slap, and secondly reads the research papers by Felix 'FX' Lindner who tears apart the apple security model, and has found vulnerabilities as simple as cross site scripting in the search query of the app store...

michaeldonovan
michaeldonovan

While the premise of this article is a good one, it is woefully lacking in any kind of real world content. I could write volumes, but let me zero in one point that seems to not be based on anything except empty platitudes, patches and updates. I hate to be harsh, but did Mary do any research? Centralized network management software allows for automatic downloadable updates that sync all devices to the correct version of software when they dock onto the network — and it should be standard equipment on the corporate network. What is Mary talking about? Consider the phone platforms out there. The bulk of the market uses Androids. The operating systems (at least three flavors) are governed by the carriers. For example Verizon tinkers with the OS on t hier phones so they can lock people out of what would be free features. This way Verizon can charge for things like GPS and sending pictures via email. When you do an update on an Android phone, you are getting the latest release of what Verizon (or other carriers are releasing. ) It’s been my experience that the carrier provided OS’s are always a couple of revs out. The carriers have no incentive for updating OS code unless they get lots of complaints. Even then they drag their heels. So good luck keeping Androids up to date. I-Devices are better. At least there is a single OS per device type out there. And with reporting you can tell if they have updated their phones. Apple even makes a product where you can force updates over the air but the phones half to be at a minimal patch level for that to work. But I would love to know how support works for that. We recently discovered that we have more people connecting to our mail servers with mobile devices that using Outlook. In a 50,000 person company, that can translate to 10’s of thousands of users requiring support for phone updates. So I am glad that Mary wrote the article. This issue needs visibility. But I would love to see more input from IT shops in an article like this.

hforman
hforman

At one point, in the article, it sounded like the author was talking about the business buying laptops and letting the employees put their own stuff on them. This is not really true BYOD. In BYOD, the implication is that the "employee" owns the device and not the company. Here are some things I get concerned about: 1. Remote Wipe Although there is now software available to ONLY wipe business data if the device is lost and leave Grandma's photos alone, many companies (including where I work) insist they have the right to remote wipe an ENTIRE device. 2. Reporting Lost or Stolen Devices This not only applies to BYOD but also to even company-owned portable devices. If an employee doesn't want any record to be of a lost/stolen device, nor do they want a remote wipe, they will tend not to report the device missing. Could be a disaster if company data is on the phone. 3. eDiscovery This is a big one! I agree with what ka5s said about the company having a right to search the device for illegal whatever. The big one is really eDiscovery! With eDiscovery, if the company gets sued, any device that may be remotely considerered relevant to the decision gets "confiscated". That includes your personally owned device and you do not have a way to go around that (there was a recent case where a woman was witholding a laptop with information relevant to her husband's wrong-doing and she lost and had to give up the laptop). No, you don't get to just have someone LOOK at your laptop. They actually take it away. OK, here is how it is going to work in my environment. Anyone using any personal device for company business will have that device removed from the network until they sign appropriate forms. These forms will give the authorization to have the device inspected on demand, reported as a loss immediately, wiped COMPLETELY on demand and surrendered for an indeterminate period if it becomes part of any investigation or legal action. In exchange for what? The owner will receive $40 per month (taxable and pensionable) to cover the business use. The owner will surrender the device for inspection prior to approval and have company security standards examined as wll as mobile device applications loaded (such as Symantec MDM). This whole thing is voluntary on both the department and on the employee. There has to be a pre-existing need for the use of a device by the employee to begin with (you can't just "sign up"). They found that the cost savings was not a lot as some of you might think. The analysis claims that is saves $13 per month per employee (and this stipend plan only covers cell phones, at the moment). Personally (especially since I'm a contractor), I only use my phone at work to hold my boss' telephone number.

Lost_in_NY
Lost_in_NY

to access company apps from personal devices and prevent any local saving of company data. The only mobile devices we support are company-issued Blackberrys and laptops - if you'd rather use your own smartphone/tablet/laptop, you can get to company apps via Good for email or Citrix for email and everything else. If you choose this BYOD then you have to give back your Blackberry but we then give you the same as we were spending for it under the corporate data plan. If you spend more, youi pick it up and the only thing we support is getting Good or Citrix to run on your device. It doesn't save anything, but so far (after a little over a year) doesn't seem to cost any more either.

robo_dev
robo_dev

Lots of banks use the Good Mobile Messaging "Good for Enterprise" solution for BYOD. It's actually better than Blackberry's security model since it's a LOT simpler (therefore more foolproof). Without getting into all the details, data at rest is encrypted, data in motion is encrpyted, it forces strong passwords, has remote-wipe, all the good stuff :) By the way, I don't work for them, but I use the app and have vetted the security of it.

Non-techie Talk
Non-techie Talk

...is about security. I guess it really is not possible to discuss BOYD without talking about security, because security is the 800lb gorilla amongst BOYD issues. However, if you have the ambition to attempt to make a list of non-security-related issues, a little organization of thoughts would have helped: you could have started at the beginning with Procurement, then Ruggedized hardware, then Long range vendor plans, then Maintenance, then Applications, then Updates/Patches, then Data Ownership, and follow accordingly, almost chronologically in terms of the point at which an issue would present itself. I can appreciate having to move at the speed of business, and the democratizing effect of the interweb and all that, but we clearly have not outlived the need for proper editing.

mckinnej
mckinnej

I still don't get this trend. What is the motivation to provide you own device without compensation? Is there a real business need or are we just trying to be cool or hip? If it is the former then BYOD is a dead issue. They should be banned and only company-owned and approved devices can connect to the network. If the motivation is the latter, then bring in your own desk and office supplies. Heck, bring in your own office and your own paycheck while you're at it. You'll have the company's eternal gratitude. See how well that spends at the grocery store.

l_creech
l_creech

If you are in an industry that has to meet state and/or federal compliance rules you pretty much have no choice but to ban BYOD. It is absolutely impossible to make a device which the company does not have absolute control over compliant, and most employees who want BYOD want them because the government has forced IT's hand to the point of making everybodies lives difficult. As for law enforcement, as soon as you enter an airport or other travel terminal (bus, train, ship, ferry) the rules are such that any item in your possession can be fully investigated and/or seized without a warrant. We can thank the continually renewed Patriot Act for that one. Sanitized or no-go is my policy, if I need access to data while traveling I have memorized all my VPN and RDP data so that access is easily attained.

Deadly Ernest
Deadly Ernest

choose not to BYOD? Will they fire you or refuse to employ you? Several years ago I refused to carry my own cell phone at work or to give anyone at work the number, claiming I didn't have one. What was interesting was I was the only member of staff who NEVER got called out of an evening or weekend when I wasn't officially on duty with the official duty phone. If they couldn't reach the duty person, often happened due to poor coverage in the city - very hilly, they picked people at random off the staff list and called them on their cell phones, couldn't do that to me. How would my taking the same approach to this BYOD business affect my employment?

ka5s
ka5s

Add another: The contents may be copied and searched for evidence of anything from illegal music to pornography to bin Laden's orders. Some firms go so far as to issue sanitized laptops for employees travelling on business.

Deadly Ernest
Deadly Ernest

security aspect, although does come in to play. If I have a company phone and lose it, they wear the cost unless they can show negligence. But if I lose my own phone it's no cost to the company.

CharlieSpencer
CharlieSpencer

I'm too cheap. Have you noticed you never hear anyone asking if they can bring in their own desktop or monitor? Keyboards and mice, sure, but those are inexpensive peripherals.

robo_dev
robo_dev

In an organization I worked with, they had something like 1000 Blackberry users who really had two cell phones (their iPhone and the company issued Blackberry). By going to a BYOD, that's 1,000 fewer devices to buy and support. The users were happier since having two smartphones is a PITA. Plus, the BYOD solution does not lock the IT folks into having a single solution (e.g. Blackberry Enterprise Server). The same BYOD solution is used for company-issued IOS devices.

robo_dev
robo_dev

There are BYOD solutions that meet the requirements. The BYOD security models are no different than the non-BYOD (e.g. Blackberry) security models. Don't forget that when you're using a VPN connection, that's a BYOD device, typically. Most times employees connect to the company VPN with their home PC. The security strategy of BYOD solutions are no different than that of a VPN client...use strong encrpytion for data in transit, protect/encrypt data at rest, and make sure the right controls are in place over both authentication and the communications channel. I think folks believe that BYOD means doing web-mail to the company email system and suddenly downloading spreadsheets and docs to their iPad for editing....it does not work that way. BYOD devices (using an enterprise-app to manage them) have the same or better security controls than non-BYOD devices.

mperata
mperata

I read on a different thread that because of the nearly unbreakable security of the current iPod/iPads they are not allowed in secured environments like the CIA/NSA/DOD. I don't know if this is true, but imagine showing up to a DOD contractor's office to pitch your company's brand new does everything product and the sales presentation is on a banned BYOD.

robo_dev
robo_dev

If you worked for me, and I had to take the calls that you did not take, the little checkmarks on the annual performance review about 'team player' would remain unticked :)

MCSquaredEqually
MCSquaredEqually

You would likely end up in the same situation as you described with the phone; 2 devices 1 personal and 1 for work. If they insist on BYOD, it would just lead you to purchasing a device for their data (whether your reimbursed or not depends on your bargaining skills).

CharlieSpencer
CharlieSpencer

for those people who are asking to BYOD even when there is no pressure from above, even when the C-suite isn't asking. I think a lot of it is ego, a way to say either 'I'm important enough to be able to choose my toys', or 'Look at my latest / greatest toy'.

mckinnej
mckinnej

Thanks for that. It makes sense and people are dumb enough to fall for it.

CharlieSpencer
CharlieSpencer

What about the costs of supporting all these various platforms and operating systems? What about the lost productivity when an employee's consumer-grade device breaks or gets malware?

GAProgrammer
GAProgrammer

on the devices. Any actual saving are computed by (cost of devices for the company) vs (the solutions the company has to buy to support BYOD, especially iOS in an AD environment plus the staff cost of supporting the devices). I am pretty sure the costs are, at best, break even unless you are a 10 person company. Plus BYOD doesn't solve any real business problems unless the devices are on an approved list. I can tell you, I am NOT going to decide which phone I am going to buy based on whether or not my IT department will support it. I put BYOD on the list of ideas that never work because of the details, with a few exceptions. The only problem BYOD solves: users whining. Otherwise, IT can just give devices that already work with existing infrastructure, are secured and in full compliance.

CharlieSpencer
CharlieSpencer

He's not taking the calls that others should have. If you supervised this team, you should be upset at those who weren't available when they should have been, not someone who wasn't scheduled to be on call.

Deadly Ernest
Deadly Ernest

as I always have. BYOD should be ONLY for those cases where I want something different to what the corporation uses, that's my choice; it should not be something the corporation decides I have to provide. If I use my car for work I get paid mileage, but if I don't have a car and you want me to drive somewhere, you need to provide it. Same with anything else, if you insist I have it, it's up to you to make it available. As for being a team player, every organised sports team I've ever played on, the team management provided the uniform that identified me as one of the team.

CharlieSpencer
CharlieSpencer

In many skilled trades, it's often expected for an employee to provide his or her own tools. Having your own vehicle is often a condition for employment; Pizza Hut isn't going to provide a car for deliveries.

Deadly Ernest
Deadly Ernest

for it and it's usage, or reimburse me for the usage. So, if they insist I have one, I'll put a requisition to purchase through the corporate system for them to buy it. Forcing staff to buy things for work is just wrong.

CharlieSpencer
CharlieSpencer

there might be a chance to purchase the one you previously used, at a discount.

Non-techie Talk
Non-techie Talk

The only thing I might say to you in response to "the people falling for it" is that it's increasingly difficult for "the people" to stop the march of "progress." If my company announces that they're no longer providing a laptop to do my job, I either go without, use/buy my own, or try to find another job, whether I agree with their decision or not. I didn't necessarily "fall for it," it's more that I can't force them to understand that their decision is as silly as deciding they'll no longer buy desks and chairs, I'll have to bring my own or work from home. Are the people powerless? No. More and more people can decide to figure out how to go into business for themselves and then create the workplace they want. Look, for example, at a company like Google, with their creative 20% days and foozball tables and all that (whether all that lasts is another conversation). And, we can at least exercise our rights to assemble (whether physically or virtually) and talk, raising awareness through conversation, to help more people realize what's really going on behind the propaganda, confusion and subterfuge (all these articles coming out saying one thing, and then another thing, are distracting us from the reality that emerges as we put two and two together, that, once again, management is screwing labour and pocketing the difference).

Deadly Ernest
Deadly Ernest

most plumbers, carpenters, etc are sub-contractors and the PH drivers are casual contractors on a per mile rate or a per piece rate. I once worked at both in my misspent youth. Where big construction firms employee plumbers or electricians or carpenters as full-time employees and not contractors they usually supply the trucks and tools for them as well.