You Can’t Stop It, You Can Only Hope to Contain It: The Emerging Trend of “Bring Your Own Device”

By Jeff Mansir , Risk and Business Advisory Senior Manager
August 2013

In discussions with IT Managers these days, no topic is more consistently raised and debated than the concept of BYOD, or Bring Your Own Device – the trend toward organizations making use of employee’s personal handheld devices as an extension of the organizations’ information networks.  Organizations are addressing the risks and opportunities inherent to BYOD in many different ways; it is useful to consider some of the lessons learned and changes we see when personal devices are harnessed for an organization’s benefit.

BYOD offers both advantages and disadvantages, and presents opportunities and risks to the organization. Benefits of BYOD include costs savings in the corporate IT procurement and support budget; faster adoption to new technologies, as employees generally adopt new technologies faster than their employers; and perceived increase in employee efficiency when using their own devices (often beyond the work day typically expected). Concerns regarding BYOD include uniformity of device access and usage, compatibility with systems and their limitations, and licensing compliance issues when employees are using different types and versions of software.  Plus, extending the work day beyond the scope of a standard office and workday presents a whole host of complications too complex for this brief overview.

BYOD complicates security governance and administration when IT support migrates from a standard “command and control” model with standard builds and licenses toward a more open, supportive structure in which key risks are identified and mitigated within a decidedly non-standard array of devices and operating systems.  Just when IT shops got comfortable supporting mobile technologies, the process has changed to remove control and introduce new vectors of risk to the organization; Google architecture is quite different than Apple OS.  Further, BYOD is often a top-down requirement of Management, and IT often is caught within a set of expectations for device support and no clear means to support Management’s objectives with the same level of security or availability.

We see many organizations establishing BYOD policies to define service level expectations for IT, end user obligations, and best practices for security.  Several organizations are identifying secure access mechanisms that can be monitored and managed across several diverse platforms (OS, Windows, Google, etc.).  Many find success with a “sandbox” approach, wherein a secure environment is carved into an otherwise open device for mail and documents.

Taking lessons from these organizations can help to ensure a successful BYOD initiative. 

Successful BYOD initiatives start with IT managers getting a handle on how each aspect of the organization uses devices to support the business.  Talking with Sales, Marketing, IT, Executives, and other stakeholders contributes to a better understanding of the needs driving demand for mobile device usage. 

  • Determine the proper level of the network access required for different users.  Which devices are allowed on the organization’s network, which level of access (such as limited or full) are granted to the devices, who has the permission to use the devices, and when should the devices be accessible to the network?
  • Define the devices to be supported, and the related security requirements. This requires getting a handle on the devices used in the organization, ensuring vulnerability assessment and remediation are performed constantly on the devices, and installing baseline endpoint security components on the devices (such as updated antivirus software and updated security patch management tools), regardless of operating system or device manufacturer.
  • Determine the devices that cannot be reconciled with acceptable security standards. This includes defining which operating systems and versions cannot be supported, which applications are prohibited on the device, as well as how use of these devices and software will be detected and addressed.  Often, defining expectations as a “service level” to be provided by IT helps facilitate a good discussion with Management as to what can and should be supported.
  • Establish a BYOD policy (which needs not be lengthy or overly complex); rather, it should clearly and succinctly define the rules and expectations for using employee owned devices in the workplace.  The following components are generally helpful in a BYOD policy:
    • Security requirements- to addresses the minimum-acceptable security measures and related build standards required on supported devices to ensure that best practices accepted at the organization are propagated to all devices (such as anti-virus/ malware software, security patching, etc.)
    • Password minimum lengths and complexity in line with general corporate expectations for information security, and well as a mechanism for ensuring that they are deployed as expected. 
    • The policy should address how personal and business data are stored, respectively, on the devices. This is where a sandbox approach can be very useful.
  • Provide employee training on BYOD usage, and employee’s responsibilities.  Reminding users that existing organizational policies for acceptable use, Email best practices, and the importance of reporting incidents timely apply to BYOD is critical; reminding users of what has not changed is just as important as noting the “new and different” aspects of BYOD.  As employees are also using these devices after work for personal use, organizations should educate employees regularly to keep them updated on the best practices for keeping their personal and business data safe.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.