Challenges in BYOT - It's all about SecurityThe biggest issue surrounding BYOT is security. Just consider how much BYOT can increase the scope of what must be policed by an IT department. People tend to have a computer and a couple of mobile devices, which means that a company that currently has 3,000 system machines could end up with 9,000 devices after implementing BYOT. Thus, the key issues become how to protect data and prevent data loss, how to authenticate users and applications, how to protect corporate systems from malware and how to stay on top of legal issues.
BYOT and Data ProtectionProtecting company data is a big concern in BYOT, especially in industries that deal with sensitive data, such as health care. Because it is difficult to secure countless customized devices, many BYOT experts recommend imposing centralized data controls. This may mean using a virtual desktop system, so that employee work is only accessible and not processed via their devices. Another option is setting up centralized document stores with controlled access to secure documentation.
Applications present another issue in BYOT because they often involve data sharing. However, because apps also help user productivity, their risks must be weighed against potential benefits. This is more of an issue with Android devices because the app market for Android devices is much more open than the very closed system used for iOS apps. A mobile device management platform may also allow IT to blacklist and whitelist certain applications.
In terms of data loss, the issue is more obvious: Mobile devices are small and travel almost everywhere with their owners. This means they can easily be lost or left behind. In this case, most companies implement a procedure for wiping corporate data from a device. This is also enacted when an employee quits or is fired.
That said, Brian Duckering, senior manager with the Endpoint and Mobility Group at Symantec, says that heavy lockdown of mobile devices can render reduced usability for employees. Plus, focusing on the data loss risks presented by mobile devices overlooks more obvious ways that data can leak out of corporate systems, such as through social media or simply by being carried away on a USB device.
Malware ProtectionProtecting corporate systems from malware is key, especially because some mobile operating systems have some pretty significant security flaws. For some companies, protecting against the various risks and threats present in different mobile operating systems is too big a challenge, and they opt to constrain users to one OS. User authentication also provides a degree of malware protection by providing some level of assurance that anyone who accesses corporate systems is, in fact, who they say they are. Companies also may restrict application downloads and access to ones that have been validated, signed and fingerprinted. This puts some restrictions on users, but attaining a free version of "Angry Birds" is not worth the risk of downloading malware to a corporate system.
Some risk also lies with employees. As such, they may be asked to agree to:
- Back up all data and apps on their personal mobile devices - but not to cloud-based services
- Destroy any sensitive company data upon leaving the company
- Immediately notify the employer when a mobile device used for work is lost or stolen
- Allow the employer to remotely wipe a mobile device after it is reported lost or stolen - even if the device contains personal employee data (apps, music, books, video, mail, etc.)
Legal Issues in BYOTIn October 2011, American health care company Baxter International had to stall its plan to allow employees to bring smartphones and tablets into the office when the company’s legal team raised concerns related to whether the company could remotely wipe employee phones to protect corporate data - a major BYOT security issue. Baxter's legal team realized the grey area within this type of e-discovery and was forced to set out policies and draw acceptable lines around how Baxter could weigh its desire to provide an employee benefit against sensitive data protection requirements.
Apps have raised other legal questions. We keep coming back to those pesky mobile apps, but they present real challenges in BYOT. For example, most apps include user license agreements. However, if a user agrees to a license on a device also used for work, is the user actually agreeing to a license on a company’s behalf? This is a question that has the potential to lead to a company's failure to comply with licensing agreements finalized by individual employees. Depending on how an organization’s legal department feels about this risk, this issue may need to be addressed prior to BYOT implementation.