Today's employees want freedom of choice, especially when it comes to mobile devices, but freedom and security are often at odds. Best security practices dictate that administrators have control over all devices that connect to the corporate network, and that becomes difficult or impossible when employees are bringing in whatever devices they want.
We know happier workers tend to be more productive, so we shouldn't dismiss users' desires out of hand. It's also true that the tablet or smartphone that works best for one person might not be the best choice for someone else. There are ways to give users some of that freedom to choose without incurring the security risks of allowing a free-for-all where everyone can connect whatever devices they want to your company network. Solutions range from maintaining ownership of work devices but allowing employees to pick the device/platform to creating an isolated network for connection of employee devices, and there are several other levels in between.
The company will always have the most control over devices that it buys and pays for. That's true in both the legal and psychological sense. When employees invest their own money in a device, they naturally feel "it's mine, so I should be able to do what I want with it." When the company pays, employees are more inclined to accept rules and restrictions.
However, workers are likely to be happier with their devices if they have some "say" in the matter of choosing the brand, model, and/or style. Many large companies already give workers a choice of laptops that the company will provide, and you can easily do the same with tablets and smartphones.
One caveat is to make sure you don't just offer a few different brands that are essentially clones of one another, such as the dozens of Android tablets that are the same size, have the same look, run the same version of the OS, and are differentiated only by the name on the front. It's tempting to do this because you have the illusion of choice while making it easy for IT to support these "different" models, but this isn't the way to make employees happy.
For example, you might not want to go as far as offering a full-sized iPad, a 7-inch Android, and a Windows RT convertible, since that requires IT personnel to learn to support three very different operating systems and hardware configurations (although it would be ideal from the employees' point of view). But at least offer different form factors — a 10-inch slate, a 7-inch slate, a tablet that comes with an attached or detachable keyboard, and maybe one that supports pen input. That way, workers have real choices and can pick what works best with the way they work and their particular job tasks.
Meanwhile, the company owns the devices and can install management software, force encryption, require complex passwords, and so forth. The company can also replace or upgrade the devices as desired, and when an employee leaves, the company retains the device and can issue it to a new employee.
Allow limited personally-owned devices
Although providing company-owned devices and allowing only those devices to connect to the network is the most secure route, the reality is that in today's economy, cost is a consideration. Allowing employees to use their personally-owned devices for work is attractive from a budgetary standpoint. Not only does the company not have the initial capital outlay, but if an employee breaks or loses his/her device, replacement cost is on the employees' shoulders.
However, embracing BYOD doesn't mean you have to allow any and every device employees might buy to connect to the network. You can establish a policy regarding what brands and models are allowed, but be careful with this one; technology advances move quickly and new devices come on the market all the time. You can find your policy falling out of date rather quickly. It may be easier and more effective to limit devices based on operating system(s) and to restrict what apps can be installed.
If you do decide to limit devices by brand/model, first evaluate them based on your security requirements. Your policy can (and should) prohibit the use of rooted or jailbroken devices.
Policies are great, but how do you ensure that users are complying with them? Your IT staff can examine the personally-owned devices on a periodic basis to verify that they're in compliance, in addition to relying on management software systems.
BYOD policy considerations
In developing your BYOD policies, you should consider the following:
- Require logon protection via a PIN or passphrase. If your workers deal with sensitive data, require complex passphrases, not just four-digit PINs.
- Require that data stored on the device be encrypted.
- Require employees who want to use their personally-owned devices undergo training to ensure they understand the policies and safe mobile practices and can recognize signs that their devices have been compromised.
- Consider whether to establish a "white list" or a "black list" to control what apps are allowed on the devices. The first is more restrictive; only those apps on the list are allowed. The latter lists apps that are not allowed.
- Require employees using their own mobile devices to follow the same security policies as those using corporate laptops and desktops. For example, if you don't allow use of peer-to-peer applications or free cloud storage and sharing services (such as Dropbox) on the corporate computers, they shouldn't be allowed on personally-owned mobile devices either.
Put it in writing
It goes without saying that your policies should be in writing and distributed to all participants. In addition to that, all employees who participate in the BYOD program should be required to sign a statement confirming that they received, read, and understand the policy. This can be done in conjunction with the training.
For best security, you should include in the statement that the employee gives the company the right to erase all data and applications on the device, remotely or otherwise, at any time. This should be exercised in case of a security breach, loss of the device, or when the employee leaves the company, to protect any corporate data that might be stored on the device. Wiping data files only is not enough; after all, there may be applications (such as VPN apps) with settings that allow the device to connect to corporate resources.
Your policy and training, along with the statement, should also include a clarification of who owns what data on the devices. Users should understand that the company is not responsible for the loss of any personal data (music, photos, etc.) for any reason.
Mobile device management software
There are a number of mobile device management packages that can be used to enforce password policies, device restrictions, Wi-Fi and VPN configurations, inventory installed apps, monitor device status, and more.
Check out "10 BYOD mobile device management suites you need to know" on ZDNet for a list that will get you started comparing some of the different features and functionality.
Also readTechRepublic and ZDNet delve deeper into this topic in a special report page: BYOD and the Consumerization of IT.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.