Companies struggle with BYOD, CYOD enforcement
As companies worldwide accept the need to support personal devices, those devices are creating additional worries for IT professionals. If not secured correctly, devices introduced to the company network can compromise sensitive data, which makes BYOD (Bring Your Own Device) a hot topic on a global scale.
A recent report by Acronis found that almost 60 percent of companies surveyed have no active BYOD policy. In addition, those who do have policies in place typically exclude senior executives, although they have access to the most sensitive data. The risks of using public clouds such as Dropbox are underestimated and many do not enforce secure passwords on devices to prevent unauthorized access.
Today’s IT professionals need more control over personal devices, and one way to do that may be through CYOD (Choose Your Own Device), which enables companies to secure applications and allow programs with verifiable business benefits.
BYOD policies typically support specific platforms (iOS, Android or BlackBerry) with no restrictions on device selection. CYOD goes one step further, allowing companies to specify a range of devices that complement enterprise security requirements. That means they may exclude earlier OS versions with known vulnerabilities that cannot be patched.
“CYOD can align technology with business objectives and desired outcomes,” explains Brian D. Kelley, CIO of Portage County Government in Ohio. “IT consumerization is driving technology in business and government, with complications for IT security for devices that were not initially considered for enterprise use.”
Consumer-oriented devices generally have a short lifespan and are designed to generate frequent sales for the latest upgrades. In such cases, security and management are often an afterthought, with the focus being a rush to the consumer marketplace — which means a quick development process.
“CYOD is really about allowing users to be most productive along with being able to enforce IT security and corporate intellectual property rights,” says Chad Holstead, president of Business Knowledge Systems, a Plainfield, Ill.-based IT and management consulting firm. “IT is not about trying regain any control; as a matter of fact, they are loosening the reins a bit to increase end user productivity.”
BYOD vs. CYOD
BYOD is here to stay, but a balance is needed where company interests and employee requirements are met and CYOD can help to ensure security and productivity tie in company interests. Selection of prominent manufacturers and modern OS versions can reduce intrusions or prevent exploits that are linked to an earlier OS or with rooted or jailbroken devices.
Certain peripherals and accessories may work with some devices but not with others, which is especially important for employees with disabilities. Dana Marlowe, principal partner and co-founder of Accessibility Partners LLC, a Silver Spring, Md.-based accessibility and information technology consulting firm, says, “BYOD is such an inexpensive accommodation, and people with disabilities really use and rely on these in the workforce.”
Kelley says that company-wide adoption of BYOD has not yielded quantifiable benefits in productivity and users need to be made accountable for their actions when using personal devices during working hours. “All legal implications for companies and employees have yet to be ironed out as the whole area of BYOD is relatively new, with examples of employee baby pictures being wiped remotely from an employee’s personal device. Hackers and cyber criminals will target personal devices as they will be less secure than company networks.”
Platforms and devices
A company-approved list of devices based on the operating system or device manufacturer is essential in business so IT professionals can identify specific features that allow them to maintain security. For example, Apple devices were mentioned in the Acronis survey, with 57 percent indicating that these were difficult to secure, citing compatibility and interoperability as the main issues. Despite this, 65 percent of companies will support these devices. One example is the iOS platform’s incompatibility with Google Apps, which many use for contact management and other collaborative tasks.
User access to network resources is typically controlled by using various access levels according to employee roles, with senior roles receiving access to more data and resources.
Marlowe says it’s unfair and impractical to assume a one–size–fits–all mentality with technology, and sometimes you just have to trust a user. “We have a very strong and favorable B/CYOD policy. When someone in our company purchases an item like a tablet, accessible computer or especially phone, and pairs it with the proper assistive technology, they can create a device that truly works for them.”
But Holstead says that device selection depends entirely on the environment.
“For highly secure offices like banks and the like, I prefer BlackBerry devices because of the security between the device and the local server. However, for cost management and ease of use I prefer the Android or iOS devices.”
“It is far better for the company to provide devices, as it allows full control of each device where the remote tracking, wiping and user privacy considerations are less of a concern,” Kelley adds. “It also allows them to meet possible e-discovery requirements and enable full tracking and management of all data, including text messages.”
Some brands of computers caused reservations from those polled in the Acronis survey but changes are in the pipeline for all devices as companies demand more enterprise security features to protect data and comply with e-discovery and BYOD requirements.