Bring Your Own Device – Boom or Bust?

The idea of “Bring your own device” (BYOD) is nothing new, but with the advancement of certain technologies it’s a definite possibility for businesses. Consumers have access to a great many cutting-edge technologies that they want to bring with them into the workplace. The question though “Is it right for your business?” The answer is, as with many things that we deal with in information technology, “It depends.” That was not the insightful answer you were expecting, I’m sure, but let me explain further.

The research you do will show that some companies say that it — allowing employees to bring their own devices — shifts technology costs from the business to the employee. True enough, employees purchase their cutting-edge pieces of technology and do so with no issues. It increases employee happiness, giving them carte blanche on whatever technology they feel best fits their current needs and keeps them happy. Yet, as a information security professional, it’s my duty to rain on the parades of the collective and remind everyone that there are things to consider:

  • The enforcement of the corporate acceptable use policy becomes a little harder to enforce on hardware that is owned by the employee and not the business.
  • Does your company fall under certain compliance criteria? E.g., Payment Card Industry (PCI) standards, Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA).
  • Something that is often overlooked in some cases centers around portable devices, such as tablets and smart phones, is how applications access and share data on the device. There are varying degrees of requirements defined across each respective platform.
  • The cost is shifted from buying technology to managing it. Are you willing to spend the needed dollars?

These are only a few concerns, and they will vary depending on what industry your company is in, but as with everything, there are answers. One thing to remember, however, is that while business may be driving IT to support personal devices, the data they use is still owned by the company. This requirement forces IT to think of how to protect that data while providing the ability to move forward with BYOD. Nike has a well-documented BYOD policy in which it only allows certain devices, so clearly you can “do it."

There are certain technologies out there that will help with implementation of BYOD. The Mobile Device Management (MDM) space has grown exponentially within the past couple of years to help address this very issue. The industry is still evolving in that area, but there are some cool things waiting for you that help protect company data on portable devices.

Network access control (NAC) is another technology that helps protect a network from personal devices on that network. A company may choose to segment the devices off of the network or group them in such a way they are easily tracked. There are certain NAC vendors that can even inspect a client machine to check for compliance and further help mitigate risk to your environment. There are numerous ways to help with tackling this issue from a technology standpoint, but at the end of the day, it’s about the policies and top-down support. The policies put in place can help manage the vast hole that can be BYOD, while top-level support can help push those policies. The policies then need to be communicated A LOT and in as many ways as possible to the user base.

When taking on the decision on whether to venture into the BYOD territory, remember that ultimately your commitment is safeguarding customer data. When this is coupled with proper policies, adequate technology and BYOD, it can open the door to new ways of doing business.