Scott Lowe gives tips on how to address various challenges associated with employee-owned devices, including smartphones.
Many IT departments are now required to support employee-owned devices in the workplace. We've seen the beginnings of this bring your own device (BYOD) trend most significantly in the smartphone arena, as employees have demanded broad support for what began life as consumer-grade devices, such as iPhones.
In this article, I discuss the BYOD concept as it relates to computers, but the same kinds of arguments can be made for pretty much any employee-owned device in the workplace, including smartphones.
Potential lack of ongoing support
Systems purchased by the enterprise typically come with at least a three-year warranty, which is one reason that some corporate systems cost more than what you'll find at Best Buy. These warranties can be beneficial to the organization's productivity because they ensure that system problems are resolved in a way that might have little impact on operations.
When employees purchase their devices, cost becomes more of a concern; and when cost becomes a factor, the first thing to go is the warranty. Now, when a component fails, there is an additional cost to have it repaired, and this employee downtime costs the company money.Mitigation Regardless of what employees want, a company is within its rights to set appropriate limits on what is allowed and supported. In the event of a BYOD initiative, the company can allow only devices that include, for example, a three-year warranty. Require that employees validate this warranty before allowing devices on the network. The warranty, at a minimum, should match whatever has been the company standard. If you've been getting 24/7 support, require that level of warranty on all supported systems.
Security is a challenge in even the best run environment. When you throw chaos into the mix by allowing employees to bring whatever device they want to work, you'll see how well security works out. From computers running 30-day antivirus/antispyware trials that are never renewed to a proliferation of spyware-related drive-by downloads, security has the potential to be a mess in a BYOD scenario. These kinds of issues can be the death knell of an organization if they are not well-controlled.Mitigation Require users to implement antivirus and antispyware software that is provided by the company. You should also require users to keep current with Windows updates and new virus and spyware definitions. Further, don't allow users any kind of direct access to enterprise resources. Even if you require all of the items above, treat non-company owned machines as hostile entities and require that users make use of some kind of terminal services or virtual desktop in order to use company resources.
No centralized management or tracking
There are a lot of policies that need to be considered for implementation when it comes to BYOD. Beyond requiring employees to use antivirus software, you also need to know who is using your network, even if they are using personal machines. Once you move to personal devices, some of the traditional management tools will no longer suffice.Mitigation You should implement an overarching centralized management system that can enforce the BYOD-related organizational policies you put in place. In addition, require users to authenticate in a tracked, centralized manner before making any use of enterprise resources.
I've worked in colleges for quite some time, and we've faced a similar scenario with student computers. At Westminster College, we've implemented a network access control system from Bradford Networks that performs this very task. If students allow their computers to get too out of date, Bradford will warn them to bring things current. Failure to do so results in inability to make use of network resources.
In short, allow BYOD, but only on your terms.
In most cases, BYOD is all about cost, whether it's direct or indirect. As the consumerization of IT gains momentum, more and more employees are requesting the use of non-standard equipment that might better suit their individual work styles and needs. This goes completely against the "commonality" movement that IT departments have for years worked to implement. By establishing standard desktop baselines, corporate IT has been able to achieve economies of scale with regard to equipment purchases and support. Further, many IT budgets have been carefully crafted around predetermined replacement cycles for this standardized equipment.Mitigation With BYOD, employees are, in theory, free to purchase whatever they like. In some cases, organizations will cover these costs with the tradeoff being that those employees might be more productive with personalized hardware. In order for companies to retain their ability to plan and budget, limits on these costs must be established.
Bear in mind that a BYOD implementation might, in some places, be embraced as an employee benefit, which can be supported by the fact that employees have control of their own equipment and can use it for business and personal tasks. As such, it might be possible for a company to save some direct costs on hardware by setting a reimbursement or purchase limit for these devices that is somewhat lower than what had normally been spent on replacement cycle-funded equipment.
This practice won't work for everyone, everywhere, so it might be best to consider BYOD as an opt-in practice.
Loss of control of data
In a traditional environment, a company can take proactive steps to protect the integrity and security of company information. Through the use of tools such as Group Policy, a company can, for example, completely disable the use of USB storage devices. There are a lot of other steps that can be taken as well.
Once employees start to bring their own devices, unless you require those devices to be joined to your Active Directory, it's a bit more difficult to include them in your security measures. Worse, since more employees are likely to be toting laptops to and from work -- and these laptops won't necessarily be covered under company policy -- it becomes more likely that data is either accidentally or intentionally compromised.Mitigation You should place a hard line on where data can be stored and what can be done with it. Ensure that employees aren't able to take data away from company property by requiring that they use tools you provide to manipulate data. I mentioned before that you should consider providing a standard desktop image/application set in a terminal services or VDI-provided environment, and that advice goes double here. When employees are using virtual desktops and applications, all of your data stays in the data center, meaning that it doesn't ever make its way to the endpoint. If a user's personal computer is stolen, no company data will be compromised.
You could also consider requiring that personal employee laptops use full disk encryption, though might be seen by some as a step too far.
Before your IT department agrees to support employee-owned devices, you should consider all of the ramifications and take the measures necessary to protect the organization and achieve whatever goals you feel are possible with the initiative.
Does your IT department support employee-owned smartphones or other devices? If so, what challenges has your department faced?