The benefits of staff using their own devices for work outweigh the risks – and some basic approaches can cut the risks without killing off the positives, says Bob Tarzey.

Recent Quocirca research among European, US and Australian small businesses emphasises the growth in staff using their own devices to access corporate IT.

Over 70 per cent of firms interviewed said they allowed at least some staff to use their own devices to access certain applications and data.

Chief information security officers (CISOs) in larger businesses admit that one of the reasons their organisations are also observing the same trend is that in practice it’s hard to stop.

That’s because senior staff insist on such access, while junior employees seek ways around controls, including the use of other communications channels if their personal devices are blocked from access to formal ones, such as corporate email.

Smartphone security

The two big questions are how employers can keep control of information and how staff can be given a consistent view of data from multiple devicesPhoto: Shutterstock

However, as the research shows, there are positive reasons for allowing such access. The use of smartphones is fundamental to enabling remote working.

Over 90 per cent of the small business managers interviewed had staff who worked out of the office at some point during the week and they were the ones most likely to be using such devices for remote IT access.

Of course, it is not just smartphones. Many of those employees will already have notebook and laptop computers and they are also rapidly turning to tablets.

Over 40 per cent of the respondents in the recent research said some of their employees were using such devices and another 20 per cent expected this to be the case within 12 months.

In many cases, remote workers – for example, field service engineers logging faults and social workers filing home visit reports – will be using company-issued mobile devices to participate in locked-down business processes.

However, for a growing majority it is simply about more flexible working and access to information as and when it is needed – such ‘information workers’ are behind the mobility revolution that is going on in the IT industry and readers of silicon.com will mostly fit that category.

However, regardless of all the benefits, information workers present their employers with a problem. How do you keep control of the information itself? How do you benefit from mobility and consumerisation without losing control, becoming a victim of data loss and coming to the notice of regulators?

There is also a problem for the users themselves. As they switch from one device to another for convenience, how do they…

BYO security: Employers can enjoy the benefits of consumerisation provided they mitigate the risks to data

Employers can enjoy the benefits of consumerisation provided they mitigate the risks to dataPhoto: Shutterstock

…get a consistent view of their data?

There is no silver bullet for solving the employer’s problem but there are ways of reducing the risks. First, a business must take as much control of its data as it can.

It is possible to secure mobile devices themselves using encryption and host-based, end-point security but there’s the problem of device ownership. Installing software on the users’ own devices creates licensing and management issues.

For many, a better way is to impose centralised controls – that is, provide a means of accessing data that’s easy to use and requires minimal modification of the user’s device.

There are three basic approaches. To achieve its goals, a given organisation may need to use one or more of them:

1. Virtual desktops

  • Here, data is not actually processed on the device, but the device is simply an access tool to a desktop that is available anywhere the user can get online.
  • There are limitations with this approach when it comes to smartphones due to screen and keyboard size, but software in this area is improving fast – for example, Citrix Receiver. However, it may still require some locally installed software for some advanced functions.

2. View and update data only

  • Provide access to applications that allow data to be viewed and updated, but not copied. For example, just because you allow employees to read email remotely does not mean the actual content needs to be copied to a device.
  • Such applications can be provided through the creation of corporate app stores that support the range of devices employees want to use and the users can proactively download, providing their consent for installation in the process. This approach is the best way to provide access to corporate applications such as CRM and ERP systems for those on the move.

3. Central document stores

  • Provide direct access to central document stores. Here, with the right products, access can be provided to view files with appropriate caveats. Public domain documents such as market materials can be freely copied and used later offline, while restricted documents can only be viewed online, helping to protect an organisation’s digital rights.
  • Some products require no local software to be installed to provide such access. Offerings here include portals such as Microsoft SharePoint or specific file-sharing or back-up services such as Trend Micro’s SafeSync and Druva InSynch.
  • Druva InSynch also helps solve the employee’s access problem. If the central data store supports access from multiple operating systems, such as Android, iOS and Windows, InSynch gives them access to documents from whatever device they happen to be using.
  • Providing this is a secure service, it also helps prevent another insidious problem. If there is no easy way to use a method for centrally storing documents, then employees may synch their devices using other services – some secure, some less so. Employers may then have no idea where their data is ending up.

Generally speaking, the benefits of consumerisation outweigh the risks, provided those risks are mitigated as far as possible. Employers that are proactive in this area will ultimately find they get more out of their employees, without taking unnecessary risks with their data.

Bob Tarzey is a director at Quocirca, a user-facing analyst house known for its focus on the big picture. Made up of experts in technology and its business implications, the Quocirca team includes Clive Longbottom, Bob Tarzey, Rob Bamforth and Louella Fernandes. Their series of columns for silicon.com seeks to demystify the latest jargon and business thinking.