«

»

Apr 04

Do you have a BYOD policy? Do you know if it’s happening in your organisation?

What is BYOD?

Mobile phones have come a long way in the last 40 years!

Mobile phones have come a long way in the last 40 years!

Bring your own device, or BYOD, is a rising trend among all sorts of organisations these days. And it’s not going to go away. In fact, you may already be implementing it already without realizing it. People checking work emails on their private mobiles or tablets? Remote workers using their own laptops to check work webmail or with VPN access?  That’s all BYOD.

In many ways, the rise of BYOD was inevitable. Increased personal computing power and the rise of the smartphone and tablets is part of the answer. The other aspect is how mobile we are these days, and the need to connect wherever we are, be it a home, at work or on the move.

If you don’t have a policy in place, now is the time to start thinking seriously about it.

What could possibly go wrong?

Many IT departments get nervous about BYOD. They have a point. Almost 50% of companies with a BYOD policy have reported data breaches.The fundamental reason is that, as someone’s personal device, they cannot control all aspects of it; what other software they use, how they connect to the internet, how they lock their device, which devices they use and their potential loss or theft.

They could take these steps, but the resulting policy would be so onerous that it would rather negate the benefits of owning such a device in the first place!

On the flip side, BYOD could possibly save your organisation money, and increase productivity.

So what factors do you need to bear in mind?

Risks

As we said, the risks are largely based around security. Some mobile phones, such as the new Blackberry range (OS 7.1), have features that allow you to separate personal and work aspects of your phone. But this is not yet a widespread feature.

Given that people can download all sorts of apps and features for smartphones and tablets, from public marketplaces, it is very difficult to control what these programs can do, and what permissions are collected.

Some departments are turning to mobile device management (MDM), insisting on users downloading tools that can configure and control smartphones and devices. These may be beyond the reach of smaller charities.

Then there are the lost and stolen devices. If a BYO device falls into nefarious hands, given time they will find a way past the passwords. Especially if it’s a laptop running Windows XP, which I know many charities still are! Still, it’s likely that if it’s someone’s personal device, it is running something more modern, so I’ll let that particular bugbear rest for now.

The other problem is how widely supported each program is for each device. Part of your IT infrastructure that works well on a laptop might not work as well on a Mac and so on.

Finally, good old viruses, Trojans and malware. Personal devices are not as likely to have as secure firewalls and ant-i-malware programs as office based devices.

Benefits

You don’t have to buy a device for people to work from home or remotely, or on the move, if they are happy using their own device. This makes it easier to implement remote working policies, and increasing the mobility and flexibility of your workforce is something every organisation should be looking to.

Secondly, a lot of the versions of programs that you can use for personal use, such as DropBox, are free, further reducing infrastructure costs.

Finally, people are generally happier using their own devices. In fact, some studies have shown that when organisations allow people to use their own mobile devices they report higher levels of employee job satisfaction, and yet others show they put in more hours as well.

So …

As I mentioned earlier, there are MDM systems and programs that can allow IT departments to exercise control of devices. However, if you have an IT department or can afford to deploy MDM, then hopefully you have a BYOD policy already.

If not, here are some things to consider.

  • Buy-in

Everyone has to know the risks involved in BYOD, and you need to know the devices in use, what is being accessed, and what ancillary programs are being used. Unless you explain to staff why you are ‘interfering’ in how they work out of the office, and agree that steps need to be taken, your BYOD device policy might well be ignored.

  • Acceptable Use Policy

The more you know about which programs people are using, the tighter ship you can run. Some people might blanch at being told to swap DropBox for SugarSync, for example, but if you have achieved buy-in this should be something you can overcome.

  • Have a browser policy

With so much work being done within people’s browsers these days, you can formulate a policy that when people are accessing work through a browser, they use a separate browser to that which they use personally. This way, you can set the browser to make sure it does not retain passwords, usernames or history.

Where possible, certain browsers can be set to use ‘https only’, a more secure version of http, to access certain sites.

  • Public space use

Generally speaking, using a BYOD over the Wi-Fi in your local coffee shop is not as secure as using a wired in home network. There was once a Firefox browser issue involving a plug-in called Firesheep that could literally pluck passwords and usernames from the ether. It was so easy it was almost funny. Try to discourage its usage. 3G is more secure if you are out and about.

  • VPN

A VPN is a virtual private network, and even for small charities is worth considering. It is much more secure than normal access, and there are free versions available.

  • Remote tracking and wiping

There are many programs, such as Prey, that allow you to track lost laptops, and Lookout for Android devices. Others still let you remote wipe them. However, this depends on the machine being left on once it is nicked, but it is still better than nothing! I have not done enough trials to recommend specific ones yet, but those are the two I use.

  • No-fault reporting

If a device does go missing, it is vital that it is reported immediately, so that the appropriate passwords can be changed as soon as possible. Let people know that they won’t be any repercussions for this. If they worry about reprisal, they are more likely to simply wait until they have their replacement and continue as if nothing has happened, leaving a device out in the wild, potentially giving access to your network.

  • Encryption and two-step identification

Protect BYOD with encryption (such as  Cloudfogger for DropBox) and with two-step identification for all programs that users can access. Just makes life that little bit safer for everyone.

  • Separate user accounts

On laptops, you can set them up so that there are different user accounts, one personal, one for work. The work one can be set up more rigorously and to your organisational standards. However, this can risk the problem of compliance. If someone can access work remotely, it is likely they will simply overlook the importance of switching log-in access..

 

Other issues:

One thing that is often overlooked, in my experience, with BYOD policies is PAT testing. While not compulsory, it is the organisations responsibility to ensure that all equipment used by their employees is safe to use, and you can find out more from the HSE here,

Secondly, if people are using mobile dataplans, they should be entitled to claim this on expenses. Given that many plans offer a lot of data for a fixed price, this can be tricky. Remember, HMRC does not allow you to offer fixed amounts in terms of monthly expenses. One option might be to consider ‘mileage’ – offer a rate per half hour on condition that time is logged. For access to servers, you can monitor this directly.

 

As always, we are eager to hear what you think, and what challenges you face with BYOD.