BYOD is here to stay, but the road to success has many obstacles.
More than 75% of businesses now allow employees to bring their own devices, according to research firm Ovum, and Gartner predicts that half of employers could make bring your own device (BYOD) mandatory by 2017. With BYOD programs rapidly moving from nascent pilots to primetime deployments, the stakes are growing. Gaps that were once inconsequential could soon have major security and cost implications. As such, it's important to take stock of BYOD's pitfalls and how to avoid them.
Don't try to ban BYOD. This horse has not only left the barn, but will trample any IT department that intends to stand in its way. There may be use cases that are inappropriate for BYOD, such as specialized mobile health care devices or ultrabooks that carry classified data. But nearly every company has employees who buy and use their own phones and tablets, and those devices are going to find their way into the workplace. Enabling safe, monitored use under defined conditions is more likely to achieve positive results than a rigid ban that users will circumvent.
Don't skimp on policy. Surveys repeatedly show that many employers, despite widespread BYOD experimentation, don't have a detailed BYOD policy in place. For example, companies may allow employees to bring any device that supports Exchange Active Sync, or Apple devices, but not Android ones, but these are not detailed BYOD policies. Rather, they leave gaping holes in visibility and security that could easily result in data breach or enterprise network penetration. BYOD policies should clearly identify who can use personal devices, which are acceptable uses and what set of conditions they can be used under. Furthermore, BYOD policies should define processes, rights and responsibilities, creating a written agreement between the employer and employee.
Don't treat personal devices like corporate ones. An iPhone procured by IT for business use and an iPhone owned by an employee for mixed personal and business uses are fundamentally different. Obviously, device capabilities and supported controls are identical; the distinction lies in how they're used. Remotely locating or wiping a lost personal device is fraught with ownership and privacy implications. This is where a well-designed policy can help, because it establishes mutual expectations and a legal foundation for taking IT action to protect corporate assets.
Don't equate bring your own device with "bring anything." As noted above, a good BYOD policy establishes rules for acceptable use, which includes minimum criteria for authorized devices. Every mobile device make/model and operating system/version has strengths and weaknesses. Set a bar for each permitted business use case. Personal devices that don't pass muster might only get guest Internet access or be blocked from the network altogether. For best results, tie acceptance criteria to business risk, helping workers understand why certain devices cannot be used for certain tasks and making it easy to find and buy acceptable personal devices.
Don't base BYOD policy on one mobile OS. It might be tempting to focus on today's hottest devices and the operating system they run, but in the BYOD world, change is continuous. A few years ago, who would have predicted that Android phones could outsell iPhones? Two years ago, who would have predicted that touchscreen tablets would erode laptop sales so quickly? This year, tablets are shrinking and morphing into phablets. Companies that adopt an agile BYOD strategy that can accommodate market change will have the greatest success in boosting mobile business productivity.
Don't become over-focused on devices. While some mobile device management (MDM) is the cornerstone of many successful BYOD initiatives, an employer's goal is not really to manage the devices -- rather, it is to enable safe device use. This often means controlling access to and storage of business data and applications, while giving workers the latitude to freely use personal data and applications. For example, some employers find it better to install self-authenticated, encrypted business applications, making it easier to configure, monitor and remove the application and its data without affecting personal use.
Don't impose impractical controls. This is a lesson that many employers learn the hard way when they configure all the available device and security settings without first assessing the need to do so or how it will affect productivity. For example, mandating a very short inactivity time-out and a complex passcode is a recipe for frustration and failure, fostering noncompliance and heated help desk calls. Instead, consider requiring only modest PINs, backed up by secondary authentication on business apps. Proactively seek balance between productivity and risk for each use case, and do real-world pilots.
Don't invade employee privacy. Just because an employee's personal device can be GPS-tracked doesn't mean you should record its location 24/7. Retrieve only the information required to satisfy business needs, document what you intend to access or store in policy, and require worker consent as a condition of authorizing using personal devices for business. Benefits of a lighter touch include better worker acceptance, easier compliance with national data privacy laws and lower risk of inadvertently breaching or destroying users' personal data.
Don't stop with BYOD security. Top BYOD concerns tend to center on risk management, including loss of corporate data, unauthorized access to corporate applications, and compromises due to mobile malware and phishing. Mitigating such threats is clearly important, but doing so is rarely enough to make a personal device a highly productive business tool. Push your BYOD program further by using mobile application management and mobile document management to recommend or pay for productivity apps and install and configure enterprise apps and documents that workers need to do their jobs.
Don't take your eye off the BYOD ball. Even with sound policies and a mobility management infrastructure, consumer devices are by definition impossible to fully anticipate. Use discovery and fingerprinting to maintain awareness of personal device use in the workplace. Use application-layer traffic monitoring and controls to understand what users are doing with their devices at the office and how they affect network performance and availability. Use MDM to detect and enforce BYOD policy compliance. The more you can automate, the better off you'll be as BYOD demands mushroom.
How personal devices change IT's role
Using BYOD policies to integrate personal devices
Will the Horizon Suite marry personal devices and the IT department?