By Kevin Mortimer, Managing Director, Triple4
The age of bring your own device (BYOD) is upon the custodians of IT infrastructure and IS accessibility. Gone are the days where staff are happy having a slow device that they are required to use for their daily tasks. The user is demanding better technology and better accessibility. They are perfectly entitled to, especially if one considers that the mobile device that they can contract via their cellular service provider is in all likelihood a match, if not superior, in specification and capability to the company owned asset. An asset that has most likely been abused by a director or someone else for a year or two before being handed down.
This poses interesting question to those individuals that now have to allow for devices into their previously secure and sacrosanct environments. The top five that should be foremost are:
1. How do I protect and secure the sensitive corporate data that will invariably be stored on these privately owned devices?
Probably the most important consideration is the data that the user of their device will have stored. In most cases this is limited to email, especially if the organisation is using a centralised content management system. Mobile device management technologies should be selected that will allow the ICT department to remotely control the device and most importantly wipe the device should it be compromised or stolen.
2. How do I impose corporate governance on these devices, and to what extent when they are not my assets?
This becomes a business decision, firstly since the business is allowing for private devices it does have a say on what kind of data is allowed. However, since it is still a private device concessions such as family photos and music must be made. Allowing for this also creates a happier user due to the level of personalisation. Secondly, with regards to applications, since the device is now in essence a corporate device as well, the business still has a responsibility to ensure legal use of software and must conduct regular software compliance audits. Software Asset Management, combined with Mobile Device Management and Managed Service Platforms address these concerns.
3. In providing Mobility services to personal devices, how can I ensure I’m not opening myself to malicious attack from the outside?
This is entirely a IT infrastructure discussion and perimeter security combined with encryption technologies, claims-based authentications and encrypted data tunnels are paramount. The world of security is a constantly shifting minefield which requires constant revisiting and testing. Deploying application virtualisation and content management systems improves the control the IT teams have over the connections and the extent in which data is distributed.
4. Is our corporate policy sufficiently updated to cater for BYOD?
In all likelihood, no. Corporate policies are seldom living documents and rarely are revisited and updated. Since the business is allowing for private devices to hold corporate data the policies must be updated. In most cases, these updates are numerous due to the great differences inherent in the two device strategies.
5. Does our disaster recovery plan and strategy still work with BYOD?
If all of the above has been deployed and implemented in the business, then the business continuity plan needs only minor adjustment. The IT continuity component of the business continuity strategy will in most case simplify and become more streamlined.