|Issue:||North America 2013|
|Topic:||BYOD starts with security|
|Title:||Senior VP & Chief Information Officer|
Steve Phillips is Senior Vice President and Chief Information Officer for global technology distributor Avnet, Inc., where he leads the company’s global IT team. Mr Phillips came to Avnet when it acquired Memec, where he had served as Senior Vice President and Chief Information Officer. Prior to joining Memec, Mr Phillips held IT leadership positions at Gateway, Inc., Diageo, and Thorn EMI. Mr Phillips is Chairman Emeritus on the board of the Arizona Technology Council, and he serves as a director of Wick Communications.
Steve Phillips holds a BSc (Hons) in Electronic Engineering from Essex University, and a post-graduate Diploma in Management Studies from Thames Valley University. He is a Fellow of the Institution of Engineering & Technology.
BYOD is an important workplace issue. No matter what companies do, some employees will use their own equipment for work, so it is better to manage and safeguard that usage before a crises occurs - especially since there are some real business benefits. The main concern is security. Devices should be allowed access to company networks only if they support separate partitions for company data, remote wiping in the event of loss or theft, plus in-flight and local data encryption.
The ‘Bring Your Own Device’ or BYOD movement, where employees use personal devices to access corporate data and networks, is a seismic shift that companies can’t ignore, especially those with significant knowledge-based workforces in North America. Employees now have easy, affordable access to the latest technology from laptops to smartphones and tablets, and they want to use the devices they like best and are most familiar with at the office, whether or not the IT team approves. As a result, organizations are finding that if they don’t embrace BYOD and establish a formal policy, their device landscape will quickly turn into the Wild West, with employees putting company data on personal devices and downloading all kinds of applications onto company systems.
However, BYOD is not something t IT teams should fear if well planned and managed. When you think about it, it’s no longer logical to force employees to carry company-issued devices when their personal devices - their preferred devices - can do double duty. BYOD programs actually make good business sense, too. Companies that accommodate employees’ personal devices are investing in efficiency, productivity, and a more engaged work force. For example, a survey of mobile enterprise employees by iPass, at more than 1,100 enterprises worldwide, found that employees who use personal devices put in 240 more work hours per year than those who don’t .
This points to something that all savvy companies realize - the line between work and personal time is blurring. Many employees need to be in touch with work during off hours. Others need flexibility in terms of where they work - whether waiting for a flight at the airport, on the road visiting customer sites, attending conferences or even working from home. It’s natural that they’d want to work remotely with their preferred devices, which tend to be the ones that they always take with them.
Getting started - focus on security
As with any IT wave, there are organizations that will do BYOD right and those that will struggle. One of the greatest BYOD concerns is data security. Before embarking on BYOD, companies should diligently think through the security implications, keeping in mind that a major data breach or loss can wipe out the BYOD program’s productivity gains in an instant and create a significant risk for the company. Companies that do BYOD right are those that strike an effective balance between access and security.
Some IT organizations have taken BYOD as a license to throw open their networks by allowing access to any IT resources using any device. That’s tantamount to hoping and assuming that data can’t be lost, stolen or corrupted, but one of these outcomes is inevitable in a large network
As a CIO of a services company headquartered in North America with operations worldwide, security was my first priority when the movement to personal smartphones started a few years ago. Many of the lessons from that period apply to today’s efforts to integrate tablets and laptops into our North American BYOD programs.
At first, when our North American employees wanted to access the company network with personal smartphones, we evaluated each and every device through our security policies to make sure it complied with our guidelines. After just a short period of time, we realized what a challenge this created and how many valuable resources it consumed. As soon as we cleared one device, there were at least three more devices waiting to be vetted. We were maintaining our security policies, but at the expense of time and efficiency.
To overcome this challenge, we took a hardware-agnostic approach to accommodate smartphones faster without compromising our fundamental security needs. We stopped certifying individual devices and instead created a set of security standards. Any phone that met these security standards could be registered for the BYOD program and connect to specific resources behind the firewall, such as email, calendars and contacts. These key security standards included aspects such as the ability to:
• Accommodate a partitioning of their memories to keep all company data separate from personal data;
• Encrypt in-flight data [in-transit through a fixed or wired network] and at-rest data[written to storage, i.e. disks etc.]; and
• Wipe the company data remotely if the device is lost or stolen, or if the device owner leaves the company.
Finding a software solution that could perform all of these functions on the necessary scale was one of the hardest parts of the process. Mobile device management was an evolving area three-to-four years ago, and it took time and effort to make the rollout work. The software we selected supported iOS, Android and Windows devices, and we continued to support BlackBerry smartphones in the BYOD program since they connect through the secure RIM infrastructure. This enabled us to keep our smartphone policy hardware agnostic and truly give our employees a choice in the smartphones they use for work.
The BYOD smartphone program that my team and I developed has been running smoothly in North America. It provides employees with uniform capabilities across all compliant devices. Most importantly, employees are happy with the system. Our smartphone management process became the foundation for managing the inevitable demand to add other personal devices, such as laptops and tablets, to the BYOD ecosystem.
Beyond smartphones: secure BYOD for tablets and laptops
Our basic BYOD principles didn’t change when it came time to incorporate employee-owned tablets and laptops into our infrastructure in North America. We started with security, kept cost in mind, and wanted to remain hardware agnostic. However, the capabilities of the devices themselves created a greater challenge in expanding our policy to include more robust systems.
Tablets, a growing trend in mobile technology, were actually a fairly easy addition to the North American BYOD program from a technology standpoint. Running on the same operating systems as smartphones, they fit into the smartphone management infrastructure without a need for additional integration capability. We apply the same requirements to BYOD tablets that we apply to smartphones. They must support partitioning, remote wiping, plus in-flight and local data encryption.
That’s where the similarities end. Tablets and laptops can perform more tasks and store more data than smartphones. Laptops running the corporate OS also have direct access to the internal data file structure. Our employees want to take advantage of those capabilities to do more work on their personal devices. This combination raises a whole new level of security risks. We had to weigh our employees’ desires to perform more complex tasks on their mobile devices versus one of our top security priorities: keeping data behind the firewall.
We decided to provide BYOD laptops with network access through a virtual desktop infrastructure (VDI). Logging in via the VDI gives BYOD employees full access to the more than 100 applications in our network environment. To ensure security, employees can’t save data to their local hard drives; it is only accessible on personal devices through virtual desktops.
However, prohibiting downloads means that BYOD employees can’t work offline. They can only work while signed into the VDI to have data access. That restricts employees to areas with Internet connectivity. This isn’t much of a restriction with the availability of public WiFi in North America, but it is the next challenge we are looking to resolve and are currently exploring the availability of secure management solutions.
The big question: tech support?
While security is a chief concern for BYOD, it would be impossible to explore BYOD policies without also talking about technical support.
Without a clearly defined policy, employees who use personal devices for work purposes might reasonably expect the company to provide tech support. Many companies do provide some measure of tech support to BYOD employees, with a recent Gartner, Inc. press release showing that many enterprises surveyed indicated that they provide technical support for personal devices - 32 per cent of smartphones, 37 per cent of tablets and 44 per cent of laptops .
Our policy extends full tech support only to company-issued computers. For BYOD employees, our IT department maintains their virtual desktops, application infrastructure, and network connectivity on our end. Hardware, software and wireless connection maintenance for BYOD smartphones, tablets and laptops are the employees’ responsibilities.
Another employee responsibility is maintaining current licenses of operating systems and Microsoft Office. The company offers Microsoft Office at a discount through its employee purchase program. Our policy also recommends, but does not mandate, purchasing an extended service agreement and virus protection software. This recommendation endeavours to help employees maintain healthy systems and further protects their data.
Adapt and succeed
IT devices are ‘consumerised’. Long gone are the days when a company-issued cell phone or PDA was coveted, cutting-edge IT that employees felt privileged to receive and in many cases couldn’t afford on their own. Instead, employees can now access the latest technology at local malls and with a few clicks of the mouse when shopping online. They now expect to be able to use that latest technology at work.
IT teams need to recognize that employees are using and will continue to use personal devices for work-related reasons. It’s better to legitimize what they’re doing and put the proper management structure around it than pretend it’s not happening and waiting for the first crisis to occur. That said, BYOD is not just about bowing to the inevitable. It has tangible business benefits; for example by 24x7 access to business information and communications at work, home or on the road.
The end of companies’ IT monopoly alters the environment most of us are used to. But, as with any change, there are new risks and opportunities. An approach that starts with security will keep the risks low, allowing companies and employees to benefit from the BYOD movement.