Bring your own Technology: An Introduction
BYOT, or "bring your own technology" – also simply known as BYO or "bring your own device" (BYOD) – is more than just an IT trend: It’s a new a way of life. And while BYOT may have its roots with executives, who’ve long demanded the ability to use the latest mobile devices for work, it has spread among the ranks, along with the proliferation of smartphones and tablet computers. The catchphrase often heard in discussions of BYOT is "consumerization of IT." In other words, it’s no longer just the geeks or the execs that want the best technology.
Not long ago, employees were thrilled simply to have a company phone. Now, employees become angry when stuck with anything other than the latest and greatest models. As people increase dependence on personal mobile devices in many life areas, it’s no wonder they want to be able to access company emails and applications without giving up the convenience of their favorite devices.
After all, these are devices they’ve chosen, are comfortable with and are already integrated into many areas of their lives. The company provided Blackberry will no longer do for the guy who is in love with his iPhone. It makes perfect sense, so it’s little wonder that many companies are making the decision to allow and support BYOT.
Or, at least, that’s the pitch from management.
It’s all nice in theory, but who takes the support call when that weird version of Android can’t connect? Who deals with the plethora of devices and ensures they play nicely with that old legacy accounting system and the new cloud CRM solution? In practice, it’s just not that easy.
But it’s reality.
This means that IT departments must find ways to make it work, which can be a tall order when it comes to BYOT’s unique hurdles.
Here, we take a look at BYOT, the challenge it presents in IT and how companies can begin to implement it successfully. (Also, how will BYOT affect IT workers? Read more in The Consumerization of IT Will Continue to Hurt Prospects for IT Workers.)
Why BYOT, Why Now?
It’s often said that Web 2.0 technology has blurred the lines between personal and private. This is true at work, too. In the past, many employees used a computer at work, and perhaps another at home, but there weren’t a lot of options for merging these two worlds, beyond logging into a virtual private network (VPN) to access office email and desktop applications.
Now, people are increasingly tech-savvy and orchestrate much of their lives through portable electronic devices. So, as their personal calendars, resumes and social lives became integrated with their devices, many began looking to add work to the mix. And, while some companies may provide smartphones for employees, many now have their own devices. Rather than carrying two pieces of equipment, many people prefer to use just one – preferably self-chosen. More recent smartphones and tablets also have become powerful enough to do much more than check company email, creating increased user demand for more capabilities that may be accessed from the office.
So, smartphones started a trend solidified by tablets. Regardless of the debate as to how much work an iPad can handle, this device has undeniably changed the computing landscape. At its core, the iPad is a multimedia and entertainment device. If there is even a shred of business use, expect users to use that as justification to bring in their tablets.
Personal Devices in the Office – Why it’s Catching on
According to Brian Duckering, a senior manager with the Endpoint and Mobility group at Symantec, the problem is that IT departments have traditionally denied requests to use personal devices – too much trouble, too much risk. But when company executives began bringing iPads into the office, the tide of IT’s control over what devices a company’s employees could use began to turn – especially when those executives realized BYOT’s potential work productivity benefits.
In addition to smartphones and tablets, two factors also explain why BYOT is not going away.
First, it’s the services in the cloud. Remember those days when to check email, you needed to boot Outlook at your desktop or scramble to your hotel to plug in your laptop? A company-issued laptop makes sense with non Web-based applications. But as applications make the move to Web-based formats, the need for anything but a browser has been greatly reduced. (Learn about why cloud computing has become so popular in Cloud Computing: Why the Buzz?)
Second, and partially because of the cloud transition, access has blurred the line between work and personal time. Whether this is good or bad is another debate, but employees are generally expected to stay connected for a longer portion of the week, if not 24/7. Social networking plays a role as well – A sales guy obviously may be in a CRM system but is also likely to keep a copy of his contacts on a site like LinkedIn.
Take these three factors: Mobile devices, a move to the cloud and the blurring line between work and personal life. It’s easy to understand why BYOT is here to stay – whether those in IT like it or not.
For IT, this has created an interesting challenge: How to say "yes" without sacrificing BYOT’s ability to manage devices and maintain a high degree of security and control. This is especially crucial, considering many companies where BYOT is progressing most rapidly are from industries where data security is key: Finance, healthcare, government, education and retail.
Let’s move on and learn about the starting points in planning for BYOT.
Planning for BYOT
"That’s not supported" has been a common excuse for IT departments in the past, but it’s also one that is increasingly rejected by employees and company management. So, rather than look like the office bad guy, many IT departments are forced to move toward adopting BYOT-friendly strategies.
What does a BYOT strategy look like? For many companies, it boils down to mobile device management (MDM), policies, technology and the secure application of such technology. According to John Dale, a product marketing manager at Fiberlink, a company that provides MDM platform services, a strong BYOT strategy should look something like this:
1. Risk Assessment
Understand the risks BYOT presents to the given business model. Before implementing anything, companies should understand what allowing personal devices actually means. This step should involve discussion with the corporate legal team.
2. Create Policies around BYOT
Generate or create a formal written policy around BYOT. In general, this should fit into the company’s current IT and HR policies. Other things that need to be hashed out here include:
- Who will pay for devices (employee or company)?
- Who will pay for data? If the company pays, will there be a cap?
- Which employees will have access to what data on their devices, and how will they access it?
- How will employees enroll their devices?
- What is the company’s exit strategy to remove company data from phones when employees leave the company?
3. Match the Technology to the Company’s Needs
This involves determining how BYOT will be used by employees and setting up systems to enable this use. For some companies, this could mean buying an MDM platform. For others, it may mean simply applying data synchronization software, such as Windows Device Management System (ActiveSync).
4. Apply the Technology
This means providing a clear way to authenticate and enroll employee devices. Companies also should provide instructions to facilitate smooth employee enrollment.
After that, it’s up to IT to follow company policies and bring the devices into the company’s technological fold.
The Benefits of BYOT
If there’s one thing about BYOT that’s pretty clear, it’s that the concept did not originate from the IT department. In other words, it’s a business initiative that company management views as an opportunity to boost productivity. In this section, we’ll talk about productivity, as well as other key advantages of BYOT.
BYOT and Productivity
It makes sense that employees may be more productive when work is easily accessible from a device that they enjoy using. Part of this can be attributed to the ease-of-use of tablets and smartphones – perhaps a reason why they’re so popular in the first place. This also should translate into fewer support calls to the help desk, increasing overall productivity.
Your Device, Your Problem
Whether employees buy their own devices outright or receive company stipends, most BYOT experts agree that ownership not only improves how employees feel about their devices but also how they treat them. After all, this is a device the employee has chosen and likes – and one that he or she will also use as a personal device. But even if employees choose to treat these devices as corporate property, companies can choose to offload some of damage liability to their employees. This is something that should be outlined in a company’s BYOT policy.
Happy Employees, Better Retention
One of BYOT’s greatest benefits is that it gives employees something they want – and that isn’t always easy in today’s economy and shrinking corporate benefits. Plus, what manager doesn’t want to give employees the ability to spend more time on work? In this sense, BYOT is a no-brainer, and as consumers become increasingly attached to mobile devices, it could even be considered a way to gain and maintain employees.
The Cost of Cost
The big one. Does BYOT actually save money? The gut reaction is that it must save something, given that employees are putting at least some money into their devices. But are equipment savings wiped out by the costs of BYOT implementation and then supporting the plan?
Cost can enter the equation, whether or not a company buys devices (or provides a stipend to offset the cost) because security and management requirements for these devices also means new software, time to develop new processes and policies and increased monitoring. Plus, many such devices work according to contract. When employees rely on such devices for work, companies may end up footing the bill. In a nutshell, BYOT is complicated, which has a variety of cost implications, many of which have not yet been fully realized.
There is some evidence to suggest that this is the case. CIO Magazine did a survey in August of 2011 and found that:
Nearly one-third (31 percent) of technology decision-makers currently encouraging or requiring BYOT have reduced both hardware spending and labor for support, as a result of allowing employees to bring their own technology to work, while 9 percent have lowered hardware spending and 5 percent have reduced labor for support. Forty-three percent aren’t able to quantify the cost savings to their company, as a result of BYOT.
Challenges in BYOT – It’s all about Security
The biggest issue surrounding BYOT is security. Just consider how much BYOT can increase the scope of what must be policed by an IT department. People tend to have a computer and a couple of mobile devices, which means that a company that currently has 3,000 system machines could end up with 9,000 devices after implementing BYOT. Thus, the key issues become how to protect data and prevent data loss, how to authenticate users and applications, how to protect corporate systems from malware and how to stay on top of legal issues.
BYOT and Data Protection
Protecting company data is a big concern in BYOT, especially in industries that deal with sensitive data, such as health care. Because it is difficult to secure countless customized devices, many BYOT experts recommend imposing centralized data controls. This may mean using a virtual desktop system, so that employee work is only accessible and not processed via their devices. Another option is setting up centralized document stores with controlled access to secure documentation.
Applications present another issue in BYOT because they often involve data sharing. However, because apps also help user productivity, their risks must be weighed against potential benefits. This is more of an issue with Android devices because the app market for Android devices is much more open than the very closed system used for iOS apps. A mobile device management platform may also allow IT to blacklist and whitelist certain applications.
In terms of data loss, the issue is more obvious: Mobile devices are small and travel almost everywhere with their owners. This means they can easily be lost or left behind. In this case, most companies implement a procedure for wiping corporate data from a device. This is also enacted when an employee quits or is fired.
That said, Brian Duckering, senior manager with the Endpoint and Mobility Group at Symantec, says that heavy lockdown of mobile devices can render reduced usability for employees. Plus, focusing on the data loss risks presented by mobile devices overlooks more obvious ways that data can leak out of corporate systems, such as through social media or simply by being carried away on a USB device.
Protecting corporate systems from malware is key, especially because some mobile operating systems have some pretty significant security flaws. For some companies, protecting against the various risks and threats present in different mobile operating systems is too big a challenge, and they opt to constrain users to one OS. User authentication also provides a degree of malware protection by providing some level of assurance that anyone who accesses corporate systems is, in fact, who they say they are. Companies also may restrict application downloads and access to ones that have been validated, signed and fingerprinted. This puts some restrictions on users, but attaining a free version of "Angry Birds" is not worth the risk of downloading malware to a corporate system.
Some risk also lies with employees. As such, they may be asked to agree to:
- Back up all data and apps on their personal mobile devices – but not to cloud-based services
- Destroy any sensitive company data upon leaving the company
- Immediately notify the employer when a mobile device used for work is lost or stolen
- Allow the employer to remotely wipe a mobile device after it is reported lost or stolen – even if the device contains personal employee data (apps, music, books, video, mail, etc.)
Legal Issues in BYOT
In October 2011, American health care company Baxter International had to stall its plan to allow employees to bring smartphones and tablets into the office when the company’s legal team raised concerns related to whether the company could remotely wipe employee phones to protect corporate data – a major BYOT security issue. Baxter’s legal team realized the grey area within this type of e-discovery and was forced to set out policies and draw acceptable lines around how Baxter could weigh its desire to provide an employee benefit against sensitive data protection requirements.
Apps have raised other legal questions. We keep coming back to those pesky mobile apps, but they present real challenges in BYOT. For example, most apps include user license agreements. However, if a user agrees to a license on a device also used for work, is the user actually agreeing to a license on a company’s behalf? This is a question that has the potential to lead to a company’s failure to comply with licensing agreements finalized by individual employees. Depending on how an organization’s legal department feels about this risk, this issue may need to be addressed prior to BYOT implementation.
Securing those Devices
For IT, there are a few key challenges related to BYOT implementation. These revolve around managing and securing mobile devices and entailed costs. Here, we’ll look at some of the common snags.
So Many Devices, So Little Time
As we’ve already discussed, one of the first steps in setting up BYOT is establishing employee and device policies. Then, it’s up to the IT department to monitor these devices on an ongoing basis. Policies should also be tweaked as required to meet an organization’s real-world needs. This can be accomplished through the use of any one of a number of mobile device management (MDM) software suites. But this is just the beginning. IT must also decide how heavily to govern employees’ use of their mobile devices. In many cases, this will depend on the organization’s needs and the industry in which they are operating. Here are some of the options:
1. Locking Down Devices
This means that users can’t switch apps, change configuration settings or modify email accounts. Access to non-corporate wireless networks may also be prohibited. This is the most secure option, but it’s also the least useful for many employees. It also seems to defeat the whole purpose of BYOT. Imagine the conversation with the employee who just plunked down $500+ for a new iPhone, only to be told that he can’t use the majority of its functionality. While locking down is always the easiest from a security perspective, it is becoming much less practical.
2. Restricting Purchases
This limits the mobile apps and other content the device can download.
3. Restricting Content
This limits the content a device can access, perhaps blocking social media or video websites. This might be an appropriate security tool for devices that customers might see, such as those used in sales.
4. Allowing Preconfigured Settings
This is a more permissive model, where devices automatically configure corporate services and accounts such as VPNs, user emails and Wi-Fi. This gets users up and running in an efficient way.
5. Applying Message/Roaming Restrictions
This type of management is especially important when a company is footing the employee’s wireless bill. This ensures that when employees use their phones to call home on vacation, the company doesn’t take the hit in terms of roaming charges. Be careful though. While no company wants to pay for roaming while an employee is vacationing in Mexico, you definitely don’t want to cut off all access to your boss when he heads to London for that big meeting.
6. Enforcing the Use of Pre-Installed Apps
If only pre-installed apps are allowed, this can prevent issues with downloading malware in apps or even just improve productivity by ensuring company devices aren’t loaded with time-sucking games and other non work-related programs.
7. Imposing Synchronization Restrictions
This limits the computers and services a device can turn to for backup, which helps prevent employees from creating company data backups (thus preventing data loss).
8. Setting up Secure Access
This is the configuration of security services to ensure that data is securely uploaded/downloaded. This could mean VPN, as well as secure socket layer (SSL) certification.
9. Creating a Dedicated Corporate Container
This involves creating an encrypted data store on devices, so that even compromised devices are afforded some protection.
10. Enabling Business Cloud Service
The device is preconfigured to provide access to company-managed cloud services and applications.
11. Disabling Personal Cloud Service
This entails allowing employees to access cloud services for work applications but not for personal use. While this may be desirable in terms of productivity, this level of security is not likely to be possible in employee owned devices.
12. Location Data Restrictions
This prevents a device from using location services or accessing apps that work with location data. This is a difficult challenge because apps increasingly use location-based data.
13. Enabling Virtual Desktops
This involves providing access to company data through a secure virtual desktop. This is a good measure for any field where security is paramount.
Part of the issue with all these restrictions is they are eerily similar to restrictions placed on company-owned technology. This is why corporate BYOT policies are so important. After all, no company is going to allow a free-for-all that puts its corporate data at risk. Some of these policies include placing employee limitations on BYOT and educating employees on security best-practices. So, a company might restrict employee work devices and educate employees on their responsibilities, in terms of safeguarding, updating and applying bug patches to these devices. This isn’t a foolproof security strategy, but it does help reduce some of BYOT’s major risks.
Centralized controls, whereby employees agree to allow employers some measure of control to wipe their devices under certain circumstances and locking down access to data, is another practical option. Rather than allowing data to exist on a number of separate devices, data centralization may involve the use of virtual desktops. This allows data to be processed and stored in a centralized location, while security settings indicate data that may be read and/or updated by employees.
How to Implement BYOT
BYOT is considered the future of office technology – and the future is now. Many companies will not be able to avoid implementing some form of BYOT, especially once competitors jump on board. But what companies can do is start small.
According to John Dale, a product manager for mobile device management company Fiberlink, the key is to start with just a handful of employees. This allows companies to test out new policies and work out the kinks. The next step is to set up a mobile device management solution. Whether this means buying a full platform or using existing device management software and integrating it with other security and management technologies, determining how a company will manage all the new devices in its network is key. From there, companies just need to implement careful monitoring, be responsive to problems and continue to enforce BYOT policies. It won’t be a downhill ride, but many employees are ready and waiting to plug their work lives into their increasingly digital existence, making the journey toward BYOT inevitable for many industries.
BYOT has grown from a trend to a full-fledged reality in many offices. This move can offer benefits to both employees and companies. But BYOT isn’t as simple as just letting employees bring and use their own devices, particularly in industries that deal with sensitive information. Here, we recap what we’ve covered in this tutorial.
- In the past, many employees used a computer at work, and perhaps another at home, but there were few options for bringing the two together.
- Many employees now have their own devices. Rather than carry two pieces of equipment, they’re looking to use just one – and preferably one they’ve chosen.
- There are two factors that explain BYOT’s growth and persistence: The increased availability of cloud services and the increasingly blurred line between personal and work time created by this 24/7 access.
- Rather than look like the office bad guy, many IT departments are going to have to move toward adopting BYOT-friendly strategies.
- For many companies, a solid BYOT strategy will include mobile device management (MDM), policies, technology and the secure application of such technology.
- BYOT implementation steps should include: Assessing the risk, creating BYOT policies and choosing and applying the technologies that match company requirements.
- BYOT has some key benefits for companies. These include increased productivity, increased employee satisfaction and retention, the ability to delegate device responsibility to employees and, in some cases, lower costs.
- Costs are a contentious issue in BYOT. Even if employees buy their own devices, managing them may involve additional company costs. BYOT is complicated, which has many implications in terms of cost, many of which have not yet been fully realized.
- The biggest issue surrounding BYOT is security, which can significantly increase the number of devices policed by an IT department.
- Protecting sensitive data, guarding corporate systems against malware and avoiding legal issues associated with corporate access to private devices and complicated licensing agreement issues are key considerations for companies looking to implement BYOT.
- There are a number of options for companies seeking to control employee mobile devices. These include:
-Locking down devices
-Restricting employee purchases
-Allowing preconfigured settings
-Applying message/roaming restrictions
-Enforcing the use of preinstalled apps
-Imposing synchronization restrictions
-Setting up secure access
-Creating a dedicated corporate container
-Enabling business cloud service
-Disabling personal cloud service
-Setting up location data restrictions
-Enabling virtual desktops
- Centralized controls, whereby employees agree to allow employers some measure of control to wipe their devices under certain circumstances and locking down access to data, is another practical option.
- Many companies will not be able to avoid implementing some form of BYOT, especially once competitors jump on board.
- Companies looking to implement BYOT should start with a handful of employees to test new policies and work out kinks.