Should You BYOD?

BYOD is a phrase that is being bandied around in corporate cirles these days. BYOD stands for “Bring Your Own Device”. It refers to the fairly recent phenomenon of employees bringing their own smartphones or tablets to work and connecting to the corporate network with it.

 
We know that everyone and his brother have a tablet of the computing kind and a smartphone (Has this in someway improved the quality of their lives? That’s a question for another blog, I guess) People started bringing their gizmos to work – this trend was spearheaded by the top level executives – the CEOs and CFOs – and IT accepted it, reluctantly and sometimes not so reluctantly. Another scenario was that top executives saw BYOD as a way to reduce immediate capital expenditure. Ask the employees to get their own devices and don’t spend on end-user computing resources. These trends have now lead to a proliferation of employee owned devices being used inside the once holy corporate network perimeter.

 
Advantages
 
1. The employee gets to use a device of his choice for work.
2. Management does not have to shell out money for purchasing PDAs, phones for their employees; in some cases management does not have to bear the cost of the data service either.
 
Disadvantages.
 
This list is going to be much longer than the one above.
 
Disadvantages for employees
1. If the company insists on BYOD, the burden of buying the required device falls on the employee.
2. The onus on updating software in the device is with the employee. Organisations might have a policy which says that all devices connecting to the corporate network need to have updated software.
3. If software updates result in devices that do not work, the organisation may not offer maintenance and troubleshooting support but might expect the employee to still meet deadlines.
4. Who has rights to the data on the device? If an employee does a personal project on the device, can the organisation claim rights?
 
Disadvantages for Organisations from the Information Security Perspective
1. The key concern here is if the device is lost or stolen, corporate data that is downloaded and stored on the device may be exposed. Privacy concerns and various statutary requirements come into play. If the company in question is a multi-national, the requirements of various countries may need to be met. Less than a quarter of such devices can be remotely wiped. Even if the facility to remote wipe is available in a device, most devices are not readily configured for it.
2. In case of a phishing attack, IT loses the ability to perform forensics.
3. The threat of malware and viruses looms large over devices owned by employees due to inherently risky behaviour that people display when handling their own devices. A malware or a rogue app in a device can silently listen to all conversations on the corporate network.
4. IT can never get a clear understanding on the bandwidth requirements of the corporate network because many tablets and smartphones have apps that are ‘always on’ and communicating with an internet server to provide ‘realtime’ services to their users. IT can never know what apps are being used and the bandwidth requirements associated with it. Additional apps result in networks crashing. A recent survey said that 82% of UK companies have experienced a slowness and unresponsiveness in their networks in the last 2 years.
 
BYOD Security
Organisations need to have a security policy that specifically handles the security issues surrounding the implementation of BYOD
IT can spell out security requirements for each type of BYOD device.
 
Some basic requirements can be
1. Devices need to be protected with a password. The password/ security mechanism should be the strongest possible that can be implemented on that type of device. For eg. if a device allows a 4 character numerical password, the password should not be a simple series and should not be a year that has any relation to the employee. Examples of simple series 1111, 1234, 9876 etc. The password should not comprise of the birthday/ year of birth of the employee or anyone else in his family.
2. Certain types of applications may be prohibited.
3. All data on the device should be encrypted.
4. The devices should be subjected to periodic IT audits.
 
So, should you BYOD? Maybe, maybe not.

Comments are closed.