Dictate the mobile device or let the user decide?

The list of benefits for the Bring Your Own Device movement is long, but so is the list of associated risks. Is the time right to connect employee gadgets to the company network, or should we be more circumspect?

The “bring your own device” (BYOD) revolution seems to be in full swing. Although I believe this is a trend that Information Technology (IT) professionals should eventually embrace, it is necessary for IT pros to set some ground rules. These ground rules should consider topics such as, which types of mobile devices will be allowed and how these devices can be used. Without ground rules we will introduce excessive undue risk to everyone involved. In fact, we may also introduce cultural changes that neither employers or employees anticipate.

Mobile devices are one of the biggest risks IT professionals have to deal with. Laptops, iPads, smartphones and other mobile devices are a challenge on a good day, but trying to deal with various types of devices you don’t own makes things much harder.

The possibility of unknown or unfamiliar operating systems, unknown patching status, and other unknown vulnerabilities quite frankly scares me more than a zombie apocalypse. Add to that, not knowing what antivirus, encryption and password requirements are on these devices keeps me up at night.

The lack of device standards and ownership is the real problem. I realize organizations can make users sign agreements that give us permission to manage, or partially manage, a user’s personal device. But let’s face it, users do not have the same security mind-set as IT security professionals.

Imagine a scenario where a user loses a personal BYOD device and doesn’t report it because they don’t want you to wipe it in case it turns up. It’s not that this user is unconcerned about information security, it’s just that they took pictures of their new baby and haven’t had a chance to upload them to their PC. All you can hope is the device is at their home and not on the bus they just got off.

Unfortunately, this type of thing is common. Working in the healthcare industry, I am aware of stories of employees leaving sensitive data on public transportation or data being stolen from vehicles. Sometimes, these stories end in federal fines. In my opinion, business use of personal devices would give employees in this situation more incentive to not report or delay reporting the lost or stolen device.

There are a slew of other problems with allowing users to decide what device they will use, and some are bad for users while others raise issues for organizations to deal with. For example, issues such as privacy concerns and work and life balance are topics that should concern all of us.

Consider the scenario where your employer is managing or partially managing your personal smartphone via a mobile device management (MDM) application. Many of these applications allow for GPS logging of managed devices. So, imagine your surprise when your boss asks why you spend so much time at the local bar.

Many employers are, in fact, taking an increased interest in the personal behavior of their employees. I know of many healthcare employers who are now refusing to hire smokers because they add an increased cost in terms of sick days, health insurance, and lost productivity. Are employees really ready to be tethered to employers like this?

Don’t get me wrong, I believe BYOD will eventually be the norm for most of us, however, there are limits and issues to consider before we move too far, too fast. Even when IT pros understand the equipment in the environment and the vulnerabilities they possess, we have a difficult job. To move forward with the BYOD revolution safely, organizations must set standards that dictate what kinds of devices can be used and how they will be managed.

There must also be clear and consistent user accountability when using these devices. In addition, we should all go into this knowing the pros and cons of how this strategy will affect us beyond the direct IT security concerns. With all that in place, we may have a fighting chance of making this work. Without it, we will surely be seeing even more breach stories on the nightly news.

Communication is going mobile, with employees no longer chained to their desks or anchored by 9 to 5 schedules, and it is best to let workers pick the tool that will magnify their efforts in this new world. It’s a fool’s game to dictate what mobile devices your employees use, and one that requires more support in the end as the more you say “no” the less secure the organization becomes.

Untying conventional binds has enabled employees to act faster and be more responsive and more productive. As a result, the millennial workforce is a master of digital technology and relentless seekers of productivity.

Bring Your Own Device (BYOD) programs are essential for these mobile workers, who are big consumers of mobile technology and carry, on average, 3.5 devices. As the iPass Mobile Workforce Report shows (see http://mobile-workforce-project.ipass.com/reports/q4-report-2011), 91% of mobile workers today use their smartphones for work, and tablet ownership in this group has rapidly grown to 72% since the launch of the iPad. What’s more, the boundary between their work and personal life is permeable, and they put an average of 50 hours per week into their work roles.

Mobile employees aren’t just the senior executives, but a workforce that spans generations and is not defined by age or sex but by needs. In fact, these workers are the talent that progressive companies want to acquire, and BYOD programs help lure and retain them.

Forward thinking IT departments recognize the shift and haven’t just adapted to mobile, they have redesigned the systems and processes to make mobile their primary goal. Mobile is forcing the evolution from tightly coupled command-and-control based IT services to “cafeteria” options best fit for maximizing productivity.

However, IT can still control the data and provide security and access with a tight menu of evolving services tied to operating systems that workers can adopt — especially as more applications move to the cloud. From device security, data availability and access methods, IT can sanction BYOD as a policy without giving up control or negating responsibilities.

IT has the right to set guidelines around BYOD in the workplace and also has the right to monitor and track usage against those guidelines. By enabling people to access data, applications and corporate networks using personal devices, IT is keeping employees fast, productive and efficient — exactly how today’s Millennials work.

The tightly coupled command and control model that existed previously for IT with desktops and laptops is fraying at the edges. It’s a myth that laptops are secure; they are arguably more vulnerable than the simpler mobile devices available today. Lost laptops alone cost nearly $4 billion in 2010 according to an Intel study, and software to “secure” each corporate laptop adds hundreds of dollars to the price tag.

Today’s mobile devices are arguably a lot less vulnerable than most laptops and are built from the ground up with more security forethought than the older PC based operating systems, including features like remote-wipe, lock out and location built directly into the OS.

Yes, BYOD is more than just a device liability problem; there are data and cost issues that need to be addressed. There is the potential for data usage “bill shock” and roaming bills can be egregious. Devices are cheap, it’s the networks that are expensive, and wireless costs will rise as mobile application use escalates. All the while the new applications need connectivity like we need oxygen.

IT has long struggled with effective control of mobile and travel related connectivity expenses and attempts to centralize the costs have met with limited success. The emerging Mobile IT model to “sponsor” services tied to company policy and guidelines and enable the employees to opt-in is starting to gain acceptance. Enterprise CIOs are already forming mobile IT teams that are working with IT vendors and services companies to support a mobility strategy that gets them there.

The point is mobility isn’t just a special-use case anymore, it has become the norm for most employees and organizations that embrace BYOD will get the most bang by enabling the worker to pick the tool that they believe best fits their need.