ICT management : BYOD
How to write a BYOD policy 11 considerations to underpin your company’s BYOD strategic planning. By Eric Bettanin
62 | Information Age January/February 2013
ICT management : BYOD
he consumer demand for smartphones is on t he rise. Worldwide, smartphone sales rose 58 per cent in 2011 and sales ar e projected tr iple by 2015. Many employees now prefer to use their own personal devices in t he workplace because the devices are easier to use, more convenient, and allow them to mix their personal and work-related information. A 2012 survey by the In formation Systems Audit and Control Association ( ISACA) of employees between the ages of 18 and 34 showed that two-thirds said that they have a personal device that they also use to access work data. In light of these trends, senior managers and ICT directors should now factor in the challenges of BYOD to their strategic planning and policies governing how information is managed across their organisation. In the face of the BYOD phenomenon, corporate strategic planning must look into t he futur e and leverage the benefits of BYOD to maximise the organisation’s mission and strategic plan, addressing how to secure the corporate data and ensuring quality of service to employees. An initia l step in any ICT project should be to establish the policy surrou nding the project. The adoption of BYOD in an organisation should not differ. A well-constructed BYOD policy will allow management to maximise the effectiveness of BYOD in an orga nisation. To effectively leverage from the multitude of mobile device technologies available for employee-owned devices, an organisation’s strategic policy makers must fir st decide on the policies surrounding the use of these devices.
T
1. Choose your team BYOD policies impinge on more areas within an organ isation than just the ICT department, so it is important t hat the policy writers and decision makers worki ng on an organ isation’s BYOD strategy are sour ced from all t he relevant departments within the organisation. BYOD has direct implications for the HR, legal, securit y and ICT department; however, consulting all f unctional areas is important since the end users are distr ibuted throughout the entire company structure.
2. Understand user devices Policy designers must understand the number and distribution of employee-owned devices within t heir organisation and how these devices are used. ICT planners ty pically underestimate by 50 per cent the proportion of employees using their own devices to conduct company business. Relyi ng on old data or a spreadsheet of devices currently registered to connect to an organisation’s network will simply not work. A survey of 1500 decision-making ICT workers in the US, Canada, the UK, France, Germany and Spain, conducted in late 2011 by Cisco, found that 57 per cent of ICT managers claimed some employees are already using their own devices on their networks without consent. Ideally, your company can detect all the devices that connect to their current email environment or corporate network. This will allow strategists to incorporate all users into the new BYOD strategy and ensure that the majority of devices within the workplace are accounted for.
Information Age January/February 2013 | 63
ICT management : BYOD
3. Understand user needs When developing a BYOD strategy, it is important to understa nd that there are different segments of users within any BYOD implementation. Completing a user segmentation analysis w ithin the company will help you understand u ser needs and the likely level of required support. This segmentation analysis should evaluate employee roles against the need for mobility and mobile applications and against the likely level of required support. Conducting this analysis w ill help you develop entitlement policies and support models and may prevent frustration a nd cost overruns in your ICT budget.
4. Consider usability Consumer usability is an important factor to consider when choosing which devices can connect to your corporate network. An organ isation should not discard a device because the ICT department believes that the device has limited enterprise application. Often users desire simplicity and devices that require less thought to use. A user-friendly device is likely to have more use and have a higher uptake from the organisation’s less tech-savvy employees. A BlackBerry may be the easier decision in terms of marrying it to the enterprise scenario, but the usability of the iPhone and iPad may attract a wider audience.
5. Over the air configuration A BYOD policy should leverage technologies that enrol devices onto corporate networks simply, quickly and wit h low user input. Links in emails or SMSs that arrive as soon as a device attempts to connect to the corporate network allow for easy configuration for the user and reliable data for the support desk. Remote configuration where devices are wirelessly and automatically configured maximises efficiency for both ICT and business users alike. Once a personal device is registered and legitimately connected to an organisation’s network, the system should deliver all the relevant profiles, credentials and settings. With the correct policy and implementation even OS upgrades can become an automated function.
6. Security BYOD maximises convenience for users, but a well-constructed BYOD policy must balance user convenience against security. BYOD end users will want their devices to connect and work, but users may not want to hand over security of their devices to the organi sation. The organisation’s BYOD policy writers should appreciate users’ desires and construct a policy that enables users some control over their device’s security while at the same time ensuring that key organisational security goals are met. Unless the corporate users desires are fulfilled, users may circumvent company policy.
7. Data usage The organisation’s BYOD policy must clearly articulate policies on data usage and monitoring. Avoiding excess data usage and ensuring eff icient use of company resources requires an organisation’s BYOD policy to discuss d ata plans. Tracking d ata usage is important regard less of whether the company pays a stipend to
64 | Information Age January/February 2013
employees or pays for the data directly. Data tracking should be capable of distinguishing between roaming and network usage to generate alerts if thresholds are breached. Automatic WiFi configu ration helps ensure devices connect to corporate networks when in range. It is important to consider how a business can best leverage cost savings f rom purchasing bulk corporate data plans from telecommunication providers. This may mean while users can BYOD, users must still utilise a company SIM card to access roaming networks.
8. Geo-security As mobile devices are mostly used outside of protected office networks, conventional perimeter-based security components cannot be used to monitor and control their communications. An orga nisation’s mobile device should automatically check in to their geo-location when the device is tur ned on. This allows network systems to determine d ata access rights. For exa mple, if an employee’s device is within the perimeter of their office or home location, the device’s data access rights may be hig her than if the device is operating from a public location.
9. Remote wipe By virtue of their physical mobility, smartphones, PDAs and laptops can be lost or stolen more easily. As a result, whoever finds the device can im mediately access the data stored on the lost or stolen mobile device. There are services capable of tracking a lost or stolen device and even services that enable a user to wipe critical data and applications from t he device to disable any unauthorised access to applications and data.
10. Application architectures The application architecture should complement the wider corporate data loss strategies already in place at the organisation. It is important for policy writers to make a decision about which mode, native browser or virtual, will be relied on for the application architecture. A hybrid approach can be an effective method to reach a compromise between usability and secu rity. A hybrid approach could use native mode for most standard business applications (calendar, email) and virtual mode for a subset of applications with stricter confidentiality or sensitive data requirements.
11. Acceptable use policies Organisations should communicate the privacy policy to employees and make the policy clear on what data can be collected from mobile devices. The privacy policy should let users k now what the organisation will collect, how it will be used, and why it benefits the user. Transparency and clarity are important in maintaining user trust. There is much less resistance to BYOD policies when the rules are clear and everyone understands them. Ensure the user agreement stipulates that the company can monitor compliance, acceptable use and otherwise act to protect corporate data. In some cases this may include remote wiping of all data on the device – potentially including personal data – which can be a source of contention between ICT and users.
ICT management : BYOD
Capture gains One of the largest benefits to an organisation implementing BYOD is the productivity increases that are gained from having employees that are mobile and connected at all times. Without capturi ng the productivity gains, some of the benefits of a BYOD policy will remain unrealised. The starting point in the development of a BYOD strategy is designing your company’s BYOD policy. The BYOD policy must address factors that will fra me the definition of procedures and processes. In a BYOD culture, the ICT policy needs to be more specific than in a traditional ICT policy, to ensure that the data network is secure and that the ICT department still has control over corporate data. The BYOD policy needs to be designed in collaboration with the users, balancing usability against security. The policy
should garner user compliance through monitoring, education and enforcement. The ICT department must have high visibility of the devices at the organisation and how they are used. One overarching application strategy should be directed, with maximum use made of native applications on user devices. Virtual applications should be restricted to applications with stricter confidential ity or sensitive data requirements. The use of personally owned mobile devices in an organisation has its benefits and an orga nisation’s BYOD policy must ensure the devices’ use is appropriately addressed.
Eric Bettanin is employed w ithin the logistic information systems branch of the Defence Material Organisation. He is currently completing a doctorate in information technology at UNSW, researching enterprise asset management.
Nearly half of ICT shops ignore BYOD The results of a multinational employee survey by public research firm Ovum, shows 46.1 per cent of respondents believe their ICT shops ignore the use of personal mobile devices for business purposes. The October 2012 survey of 3796 full-time employees from corporations in 17 countries revealed 28.4 per cent of employees believe their ICT shops are aware of their mobile device use but ignore it, while 17.7 per cent say their ICT departments simply don’t know it goes on. Another 45.8 per cent of survey respondents say their IT executives actively encourage a bring your own device (BYOD) policy for business purposes, such as accessing email and corporate documents. Only 8.1 per cent of those surveyed indicated their ICT departments actively discourage BYOD. The survey only included employees from companies with 50 or more full-time workers. “The thing we find so shocking is that there are such a range of tools out there that make it easy for IT to manage BYOD environments,” said Adrian Drury, a practice leader for consumer IT at Ovum. “At the end of the day, chances are you’ll have a data loss event with BYOD.” Tools such as mobile device management software allow an ICT shop to remotely wipe mobile devices, such as smart phones and tablets, if they are lost or an employee leaves the company. Seventy-five percent of respondents in the emerging, “high-growth” markets (including Brazil, Russia, India, UAE, and Malaysia) demonstrated a much higher propensity to use their own devices at work, compared to 44 per cent in more mature markets. The survey also of revealed that 79 per cent of respondents in high-growth business markets, such as Malaysia, India and Brazil, see BYOD as key to career advancement. Only 53.3 per cent of those surveyed in mature market countries, such as European Union nations and the U.S., believe mobile devices can help their careers.
A notable anomaly to this latter trend is Spain, where 62.8 per cent of employees bring their own devices to work – well above the developed market mean. “This could have something to do with the struggling economy: people are willing to use any and all means necessary to get ahead in their jobs, as losing them could be disastrous, given the high rates of unemployment,” said Richard Absalom, a consumer impact IT analyst at Ovum. Driving the trend in high-growth markets is the predisposition of professionals to “live to work,” as well as the lower rate of corporate provision of mobile handsets and tablets. “We see this clear trend that employees in high-growth markets are very happy and open to using their own device for work 24 hours a day and don’t see it as an imposition on their time,” Drury said. “They see it as a way to advance their career, be more productive ... these kinds of key benefits.” While somewhat obvious, the survey did reveal that workers surveyed in more established market countries, such as the US and the UK, were far less willing to allow their employers to contact them via mobile devices during off-work hours, Drury said. Ovum performed its web-based survey of companies in Brazil, Russia, India, South Africa, The United Arab Emirates, Malaysia, Singapore, Japan, Australia, Belgium, France, Germany, Italy, Spain, Sweden, the United Kingdom, and the US. “Employees in high-growth, emerging economies are demonstrating a more flexible attitude to working hours, and are happy to use their own devices for work,” Absalom said. “This bifurcation in behaviour will shape not just future patterns of enterprise mobility in high-growth markets compared to mature markets, but also dictate which markets, structurally, are going to benefit most from this revolution in how and where we work,” he said. -Lucas Mearian
Information Age January/February 2013 | 65
