BYOD, which stands for Bring Your Own Device, refers to the growing trend of employing personally owned devices in the workplace, usually connecting them to a workplace network. Those of you who consult in network administration and security probably cringe when you think about the possible security implications of that. Some have even suggested an alternative interpretation of the initials as Bring Your Own Disaster. While those concerns are valid, that isn’t what this post is about. I’ll leave that to the IT Security blog, and focus instead on what BYOD policies mean for consultants who want to connect their devices to clients’ networks.
We consultants have been bringing our own for a long time. Back in 1991 when I first started consulting, I usually worked in a terminal emulator running on my own system that connected via modem over a telephone line to my clients’ systems. Between telnet and kermit, it was almost like being there — and we didn’t worry about encryption because we deemed an analog telephone line reasonably secure.
As Internet access proliferated, companies naturally became interested in retiring their modems and phone lines in favor of connection options that made use of this new, unified network. We soon discovered, however, that the more people you put on the same network, the likelier that some of them have a malicious intent. With a large enough sample size, a significant portion of those crackers developed skills that rendered traditional security measures laughable.
Enter secure Internet-based solutions such as Virtual Private Networks (VPNs). These work great, except when they don’t. And when they don’t, it isn’t a problem for most of your client’s employees who connect directly to a local network. It’s only a problem for you, the remote consultant. So you’re the one who discovers that it’s down. You’re the one who can’t get anything done until it comes back up. You’re the one who requires the extra time and effort from the network admin. Your client may begin to wonder if you’re worth the trouble.
Back in the old days whenever I visited a client site, I’d use their equipment. With the drop in the price and weight of notebook computers relative to performance around the year 2000, it suddenly made sense to bring my own computer on those visits. Nevertheless, connecting it to the client’s network always seemed to run into some glitch that consumed valuable time.
One benefit I see with the BYOD trend, therefore, is the increasing expectation that connecting foreign devices is a normal practice in which everyone participates. Your client will have to become familiar with the process, and establish policies that make it smooth and secure. When problems arise with it, their employees will be just as inconvenienced as you are. Making it work will be part of doing business, instead of a special accommodation for the outsider.
There will still be some differences between the ways consultants connect versus employees. Even though they’re connecting foreign devices, employees may still be using a local network connection rather than the Internet. I think that difference will gradually disappear as more employees work from home or in remote offices.
A bigger difference, from my experience, is that employees will typically connect their devices to the private network of only one employer. Consultants have to deal with multiple customers, and sometimes security policies can be a bit exclusive. If my experience with VPNs is any indicator, watch out for connections that automatically prevent you from accessing other networks — even when you’re no longer connected to theirs. The flip side of that, though, is that your client may have a legitimate concern about the security of their information if you’re allowed to indiscriminately go from their network to someone else’s. We need to work with our clients to develop procedures that serve both of those interests.
A third difference involves the business relationship. An employer probably won’t sue an employee if a data security breach occurs because of their device, though they might fire them. With an independent consultant, they could easily do both. Clients expect consultants, as independent vendors, to assume a greater degree of responsibility.
Additional BYOD resources
For more on this topic, check out the ZDNet and TechRepublic special feature BYOD and the Consumerization of IT, the TechRepublic Pro BYOD policy download, and The Executive’s Guide to BYOD and the Consumerization of IT.