Here’s a question — if I use my personal smartphone to access emails, calendars and corporate contacts (which I do), does my employer have anything to worry about? So far, it’s been going well. My device is secured with a password and a mobile management suite that can delete data if it’s lost. I’m even using my own laptop to type up this article, instead of a company-issued one.
Certainly, I’ve embraced the BYOD trend with gusto. But is this a safe way to go about things? Am I inadvertently putting my company’s data at risk? And if I am, what can be done to remedy the situation?
“The challenge that the Middle East and Africa will face with BYOD is introducing, and managing, a solid security strategy,” says Osama Al-Zoubi, Senior Systems Engineering Manager, Cisco Saudi Arabia. “As more and more employees are using devices for both personal and business activities, the issues with potential loss of confidential company data increases as IT departments are less in control.”
His comments reflect what is becoming a burning issue among regional IT departments — as more employees demand to use their personal devices for work, IT managers are struggling to both accommodate them and safeguard confidential company data.
There’s no denying that BYOD is beginning to take off around the region. Indeed, according to Leif-Olof Wallin, Research Vice President, Gartner, you’d be hard-pressed to find any company in the Middle East that isn’t struggling with BYOD in some form or another.
“An organisation that claims they don’t have BYOD usually needs to look harder for it,” he says. “Generally, you might find executives taking notes on personal iPads in sensitive meetings, or other employees taking a photo with a smartphone to document the sensitive content of a whiteboard. Resisting BYOD will become increasingly difficult, as it often comes from the top as a mandate.”
Maan Al Shakrachi, Networking Solutions Sales Leader, Middle East, Africa and Turkey, Avaya, adds that the uptake of BYOD is steadily increasing in the Middle East. “The Middle East has always been keen to adopt all sorts of new technologies and BYOD trends are no different as it can be clearly seen in many public and private entities across all industry verticals. His Highness Sheikh Mohammed has just recently announced moving from the e-government towards the mobile government model, where people will have the capability of accessing all sorts of government applications and information they need using their own devices anytime, anywhere, to accomplish their tasks. This reflects the importance of BYOD in this region, and the innovation that our leaders are building on it,” he says.
But while the trend is somewhat unavoidable — not least because it can save organisations huge amounts of money — this doesn’t mean that business leaders are wrong to be concerned about their data. Shakrachi explains the problem.
“Employees with critical company information on a personal device take that device with them everywhere. That means that, if it is lost or stolen or even misused by a family member, financial applications or important data can easily be swiped or stolen. This risk doesn’t only apply to handheld devices, but also personal laptops where certain security policies may not be in place, such as the latest anti-virus, patches, or personal firewall, which can easily put a network at risk,” he says.
So how can companies get around the worries over data loss while also providing their employees with what they want? According to Ian Lowe, Senior Product Marketing Manager, Identity Assurance, HID Global, there are three key factors to a successful BYOD programme: policy, security and education.
“It’s important that you have a clear policy around your BYOD strategy. It’s not just about control; it’s about enabling secure, trusted and convenient access. Be sure to implement security that has minimal impact on the employee’s experience, whilst maintaining the levels of security that your organisation is happy with. Provide clear guidance on best practices for use of personal phones and tablets in the workplace. Ensure employees know how to act responsibly when using their personal devices for professional purposes,” he says.
Some organisations, however, opt for a semi-BYOD policy — they’ll allow their employees to use their own devices so long as they comply to a list of company-approved devices, taking any mystery out of what smartphones and tablets the network will have to accommodate. Wallin believes that this — or at least offering a list of supported platforms — is a good way to go about things.
“iOS is a natural platform to include,” he says. “Windows Phone 8 and BB10 are also meeting most enterprise requirements. Android requires a more thoughtful approach as securability and manageability varies greatly between the versions of Android as well as between vendors.”
However, Nicolai Solling, Director of Technology Services, Help AG, says that, while it would be ideal for companies to be able to dictate which devices their employees buy, it wouldn’t really amount to BYOD. He says that BYOD is an employee-driven phenomenon, so companies need to find out how to support every operating system.
“An organisation that has taken the leap of faith and decided to support BYOD should invest in technologies which ensure that it is implemented in the most secure way possible. This should include support for the major mobile operating systems such as iOS, Android and Blackberry,” he explains.
Whichever devices the company decides to support, though, it’s a given that it should have some degree of control over the employee’s device. However, this presents a dilemma because, at the end of the day, the employee owns the device, meaning he or she may not be happy with the company having access to everything on it. On the flip side, the company will own much of the data on the device, meaning the employee should relinquish some control. According to Wallin, just how much control a company should have over the device is still a delicate area.
“Most employers will have a policy about what they do with a personal device and how they’ll handle any information they collect (like location of device). In general, these tools provide access to a lot of potentially sensitive information. In real life, most organisations are able to sensibly handle the difference between private and company information,” he says.
To keep both parties happy, Sowri S. Krishnan, Vice President for Mobility, Cognizant, suggests finding the “middle path” between the two extremes of the complete freedom that employees desire and the full control that organisations seek over devices.
“Implementing the BYOD strategy is possible only with a comprehensive policy. To develop an effective policy, organisations need to define and understand factors such as which devices and operating systems to support, security requirements based on employee role and designation, the level of risk they are willing to tolerate, and employee privacy concerns,” he says.
According to Tareque Choudhury, Head of Security and Advisory Services, BT, this trust issue is beginning to improve — it seems that employees are happy to give up a little corporate access if it means they can use their own devices.
“Many employees — 66 percent of those surveyed [in over 2,000 in cross-regional and sectoral interviews during the BT and Cisco Beyond Your Device research project] — are aware of what their employers have in place by way of a security system, a number unchanged from 2012. But only 42 percent of those who are being monitored by their employers are concerned by that fact. That number was 46 percent in 2012, indicating the possibility that employee trust of their employer may be on the rise.”
Get the balance of trust right, and the experts suggest that the benefits of BYOD are more than worth the risk. Cisco Consulting Services estimates that the annual benefits of BYOD range from $300 to $1,300 per employee, depending on the employee’s job role, according to Al-Zoubi. And Wallin says that BYOD programmes empower users, improving their personal productivity.
Choudhury explains a little about why organisations are working out how to mitigate the data-loss risks associated with BYOD to accommodate their employees.
“BYOD policies are popular, and popular programmes help to improve worker efficiency, happiness, and productivity. In addition, they have the ability to greatly affect innovation amongst smart device users. Many professionals — 76 percent of those surveyed — indicate that they believe their employers need to do more to fulfill the potential productivity inherent in smart devices. And 84 percent of IT managers believe that a BYOD policy conferred a competitive advantage,” he says.
Indeed, some companies have already found their mobility BYOD programmes to be so successful that they have extended them to include personal laptops and PCs.
Wallin says: “Some organisations are looking to introduce BYOD policies for PCs, very frequently in order to support Macs in the enterprise and sometimes to avoid a situation where the company issues corporate PCs to contractors and consultants.”
According to Help AG’s Solling, this is a natural progression, as people want to work with interfaces that are familiar to them. Of course, IT departments may squirm at the idea of allowing personal devices such as laptops into the work network — after all, they’re capable of storing much more data, and, if it’s a Windows laptop, the risk of malware increases, too. However, Solling points to desktop virtualisation as a solution to the problem — with this, employees using their own laptops needn’t be too much of a headache for IT departments.
“As efficient as employees may be with their smart devices, there are still a large section of employees who would prefer the familiar interface of a traditional desktop or laptop. This is why we are seeing increases in the number of organisations opting for desktop virtualisation,” he explains.
“I am definitely of the opinion that desktop virtualisation can assist in mitigating many of the issues with BYOD, simply because, once the user logs out of the virtual desktop, the data is removed from the device. In fact, the data was never there — only the VDI environment.”
Just how quickly companies begin accommodating personal laptops as well as personal mobile devices remains to be seen. However, if the experts are right, IT departments may soon have no choice but to accept that employees are going to use their own devices whenever they can. As Krishnan says, “Organisations currently have only two choices when it comes to BYOD — adopt it now or later.”
Later might be best for some companies, but there’s no doubting that change is on the way when it comes to securing corporate data. And what of me using my own devices for work? Well, just as the experts suggest, the IT department and I have a perfectly workable understanding over it. And it seems we’re both happy with the results.