Joe Stangarone | July 22, 2014

5 BYOD steps you can't ignore

Summary: Many businesses treat the “Bring Your Own Device” (BYOD) movement as a trend–viewing it as something they can choose to ignore. Learn why this approach is wrong, and the steps every business must take to address this growing phenomenon.

Gartner has a great tagline on their Bring Your Own Device (BYOD) page: BYOD is here and you can’t stop it.

That simple statement says it all. You see, contrary to what you might hear, BYOD isn’t a trend. It’s a reality.

What’s the difference? A trend implies uncertainty. Maybe it will catch on. Maybe it won’t. With a trend, you decide whether or not your business jumps on board.

On the flip side, reality doesn’t offer that luxury. You don’t decide to “jump on board” a reality. It’s happening, whether you like it or not. You adapt, or face the consequences.

That’s exactly what’s happening with BYOD. As employees bring more and more personal devices into the workplace, you can’t stop BYOD. It’s happening. You must adapt.

What should you do? If I can give one piece of advice, it is this: Focus less on restriction, and more on business enablement. How? Here are 5 BYOD steps that you must take:

Step 1: Strengthen your network

As more employee-owned devices make their way into the workplace, the number of devices connecting to your corporate network increases exponentially. If not properly managed, this increase can easily overwhelm your network–reducing bandwidth and hindering employees ability to work.

“IT personnel must ensure their network architecture can handle increases in Wi-Fi traffic,” says Blake Brannon, Lead Solutions Engineer at AirWatch. “They must also ensure their existing device management platform can scale to accommodate management of employee devices. If IT has already invested in an EMM system, they should ideally be able to leverage existing policies that have been developed for corporate devices, extending the necessary policies, apps and content from the same console.”

Step 2: Create clear policies and terms of use

As businesses enter the world of BYOD for the first time, uncertainty plagues both the users and the organization. What can users do (and not do) with their personal devices? How much control does IT have over personal devices? A clear BYOD policy will help dispel confusion for both users and the business.

“BYOD policies can help employees opt in by outlining both the risks unauthorized access pose and the benefits BYOD programs provide,” explains Brannon. “The BYOD policy should clearly define the rules of the program, in accordance with government regulations and company security policies. It should also clearly outline what IT will be able to see and manage on personal devices, so there is no fear of personal data being compromised or exposed.”

Step 3: Teach employees about proper security

If we’ve learned anything from the recent data breaches, it’s this: Users have awful security habits. As discovered last year through a few breaches (which exposed user passwords), the most common password is “123456.” Users have limited knowledge of security risks…and they’re bringing this into the workplace with their personal devices.

“What we find is that many people have no knowledge of mobile security risks,” says Joe Ferrara, President and CEO, Wombat Security Technologies. “The first step is to create and communicate policies on mobile devices in the workplace and then provide the assessment and education that help employees understand their risky behaviors and how to protect theirs, and their employer’s data.”

Step 4: Decide how to approach BYOD

You’ll find two schools of thought surrounding BYOD strategies. One calls for device-level control, while the other calls for data-level control. Here are brief descriptions of each:

  • Strategy 1: The device level
    With device-level control, the company adds software to every user device, which lets them control all or parts of the device. Privacy is a major concern with this strategy, as employees aren’t comfortable turning over control of their personal devices to the company. If you choose this route, you must:
    • Give them a choice
      If you decide to secure individual employee devices, do so with caution. Forcing all employees into a BYOD program will only push them away. Instead, explain the benefits of joining and let them choose.

      “Give employees a choice, instead of requiring all-or-nothing access to their device,” says Lauren Lembo, Director of Business Development at Raxco Software, Inc. “Offering additional levels of device security in exchange for increasing levels of access to company applications and data allows the employee to retain a sense of control over the process.”

    • Separate personal from company data
      Users won’t likely give a company full control over their device. If you do opt for device-level control, make sure you clearly separate business data from personal data, and create clear guidelines as to what the company can and cannot monitor/control on each device.

      “Creating separate spaces, via a data container or partition, for company data lets the employee log into these services to access company data, keeps personal information separate, and allows your IT department to remotely delete company data if needed,” explains Lembo. “By designating separate spaces, employees can literally see what the company can and cannot access. The clear separation of these two spaces prevents information spillover and makes your employee more comfortable using their personal device for work.”

  • Strategy 2: The data level
    The problem with securing each device: it requires more effort, and devices constantly change. The second approach bypasses these issues, focusing instead on securing the data. Employees use whichever device they please, and the company grants data access depending on each user’s role.

    “The very idea of “BYOD control” is doomed to failure at the outset,” explains Miles Leacy, Managing Principal at The Mac Admin. “The goal is not control. These are devices owned by the individual. The goal is to grant them access to the systems and data we need them to access. There is no need to control what isn’t present. If employee X needs data Y, then we need to grant him/her access to that data. I don’t care what else the device does or has resident on it.”

    Essentially, this approach treats the device like a doorway, rather than a destination. For instance, companies might make their data available in the form of mobile web apps, with secure logins for each one. Users then login and access that data via their mobile web browser–without installing anything on the device itself.

Step 5: Embrace your new role

In the past, IT departments controlled technology because it was scarce, and hard for users to obtain and use. That’s no longer the case. To truly succeed in this technology-driven world, IT must embrace their new role: The technology consultant. No longer the gatekeeper, IT’s new job is helping the business get the most out of the technology they have.

“With BYOD, IT departments take on a new role as a consultant,” explains Brannon. “The influx of personal mobile devices into corporate networks – and the cloud-hosted data they access – has fundamentally changed the way people work, and by necessary extension, the way IT departments operate. Providing access to multiple device types – and often to multiple devices per user – creates a myriad of new challenges for IT departments. IT departments managing BYOD programs are also routinely asked to troubleshoot on a much wider range of devices. Be sure your department is prepared for the influx and diversity of requests from the users.”

So, what do you think? Is there anything you would add to this list? If so, please share your thoughts in the comments.

Read article on MRC-Productivity blog