To BYOD or not to BYOD
by Joshua Silberman, IT/Cyber Security Consultant, MGO Technology Group
Every organization needs a mobile device strategy for its employees. There is no way around it and there is no way to avoid it. Your organization must develop a clear policy for how your employees will use mobile devices to interact with your IT environment. Having no policy is no longer an option as it will open up your firm to exposure from so-called ‘Shadow IT’ as users will circumnavigate your IT infrastructure and e-mail documents over non-sanctioned channels so they can continue to work on their own mobile devices. Granted, a fully implemented mobile device policy may not eliminate these risks entirely, but it will go a long way toward reducing your organization’s overall risk exposure to a potential data breach. The first step of developing this policy is to answer a not so simple question; will your firm issue it’s own devices to employees or allow them to Bring Their Own Device (BYOD)?
Upsides and downsides of mobile device programs
There are two potential mobile devices programs; BYOD and Corporate Owned Devices (COD). Since every organization is unique, we do not intend to make a recommendation as to which strategy might be better. Our intent is to examine both polices and help you identify if one might be a better fit for your organization.
Before either of these programs is implemented, your organization will need Mobile Device Management (MDM) software. MDM is a crucial element to centrally manage and monitor any mobile devices that interact with your infrastructure. Your MDM must be in place before any device is allowed access to your network.
Examining a corporate-owned device policy
With COD your firm issues devices to your employees for corporate use and completely disallows the use of non-corporate device within your corporate infrastructure. Your firm takes responsibility for the devices’ setup, maintenance, and troubleshooting. While this policy does increase the setup time to make an employee fully ‘active’ within your IT setup, it allows for complete control of the hardware and associated software that is allowed within your firewall.
This setup has the advantage of having the lower overall security concerns of the two polices. You can chose every feature that is allowed on the device, right down to personal logons, and the actual applications allowed on the device. Since your organization owns the devices, they will already fall under any established guidelines the firm may have for governance of IT assets and thus minimize or eliminate the need for any extra work from your legal department to govern employee behavior.
While COD does allow for increased security and governance, it also has an overall higher price tag as your organization will be required to own every part of the mobile devices’ lifecycle -- right down to maintaining a relationship with a cell phone provider to provide data services for the devices. As a result, the COD approach has the highest cost outlay between the two polices. COD will also have a higher cost to internal IT resources as they will be called upon to maintain the device inventory, train the users if needed, troubleshoot, reclaim the devices from departing employees, and repurpose them for the next user as you would with any other end user IT assets. This is time that your IT department could be dedicating to other activities so you will have to decide if you want to add this responsibility to their overall work load.
The benefits and downsides of "Bring Your Own Device" policies
BYOD, as the name states, allows your employees to add their own devices to your corporate infrastructure. This approach eliminates many of the costs listed above, such as the outlay needed to procure and maintain devices of your own along with the need to maintain data plans for the devices. However, given the variety of handsets available to users in today’s market your organization will have to spend more time setting up the actual policy to ensure your firm maintains a secure environment before actually rolling it out to your employees.
Beyond setting up the MDM, you will need to decide which devices, operating systems, and setups you will allow in your BYOD program. For example, you may be willing to allow iPhones and Samsung handsets into the program without additional security enhancements, but may require other Android based handsets to be encrypted before allowing them onto your BYOD program. You will have to designate a team to continuously evaluate new handsets as they reach the market to see what setup changes might be needed to allow these devices onto your program.
In addition to researching and choosing the allowed hardware policy, your firm will also have to establish the BYOD onboarding policy for each individual device operating system to be distributed to the users once they agree to join the BYOD policy. Your IT department will have to assist the users in onboarding the device and will have to continue to troubleshoot issues such as connectivity to corporate services such as e-mail. Finally, it will be necessary to establish a legal framework beyond your regular IT policy to define the parameters in which your company can monitor and administer the personal devices allowed onto your BYOD policy. Most companies accomplish this by working with their legal department to draw up an agreement to be signed by the user that establishes the rights of the company to monitor, administer, and if need be, completely wipe the device using the MDM.
The most prominent argument in favor of BYOD is that all the costs for resources listed above are up front. Once the MDM, policies, and procedures are in place you need only worry about updating them rather than activity implementing them as you would with a COD policy. All of the other associated costs with the device are still the responsibility of the employee. However, this is also the most prevalent argument against BYOD from a security standpoint. While the MDM and legal agreement will allow your IT department to monitor the device for any potential vulnerabilities, you will generally not be allowed to actively manage it. The onus will still be on the employee to ensure the device is properly updated and that no suspicious software is added to it. While your IT department would be able to inform the employee of suspicious software or activity within the device itself, the only true recourse you would have to protect your environment would be to remove the device from the MDM and thus from the BYOD program.
Making the right choice for your organization
Both programs have their advantages and drawbacks. Both allow for mobile access to various company resources such as e-mail and file sharing. However, there are differences to consider within each program regarding cost outlay, day to day maintenance, and overall security posture. Of course, neither of these polices are set in stone. Many companies are experimenting with a hybrid option that would allow employees to choose between a company device and joining a BYOD program in an attempt to fill the gaps present in both standalone programs. Each policy can be tailored to fit your company’s needs, but your IT department must make sure the proper back end work is done on both the MDM and the devices themselves to ensure that a proper IT security postured is maintained throughout your organization.