First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

BYOD: Bring your own device is a growing business trend

iphone-ipad-bring-your-own-device

Image: http://commscopeblogs.com

Since well before Information Technology PolicyPro (ITPP) was first published, and for good reasons considering the technologies available at the time, it made sense to restrict devices connected to the corporate network to those owned and controlled by the enterprise and configured by IT. This is no longer the case.

Bring-your-own-device (BYOD) is a growing business trend that may have started with corporations providing tightly controlled BlackBerrys to their corporate executives and marketing force to serve as their mobile telephones and email workstations on the go. The falling cost of smartphones and internet tablets enabled employees to purchase these new digital devices for their own use to take advantage of Internet access and provide complex computing capability through an extensive range of readily available applications that are either free or inexpensive. While these may have been purchased for personal use originally, there developed a growing demand by employees to allow their use in the workplace and to allow their connection to or through corporate networks.

BYOD is all about employees using their own preferred equipment with which they are comfortable on the job, on the go and at home. Further, the BYOD trend allows—even encourages—employees to use their own digital equipment for business purposes and converges the workforce’s business and personal life.

A comprehensive discussion on the subject of whether to implement a BYOD program or to not allow BYOD is beyond the scope of this publication. The decision to implement a BYOD program must weigh both the tangible and intangible benefits to be derived from the program against the security risks to the corporation, costs of implementation, and ongoing maintenance costs of the program. However, various risks and costs may be inferred from the various policies supplied in chapter 14 of ITPP.

Once BYOD is committed to the workforce, implementation may vary in scope from simple Wi-Fi access for an employee’s personal device inside a corporate guest network to a full-blown BYOD program involving lists of eligible devices, IT guidance and restrictions on access to the corporate network and its data, security safeguards on the access points to the network and on the approved devices, real-time logging and analysis of network and data access, eligible application lists, application installation controls, policy setting, mapping of policies to users and devices, monitoring and supporting devices, and locking or wiping a device when the device is lost or stolen or a user with a BYOD-enabled device leaves the corporation.

BYOD devices

At time of writing chapter 14 of ITPP, these personal portable digital devices may be:

  • Laptops with all manner of operating systems such as Windows, MacIntosh, Unix and its many variants, such as Linux, LynxOS and Red Hat Linux, and variations of public source Android
  • Smartphones such as iPhone, BlackBerry and those using Android variations
  • Internet tablets such as iPad, PlayBook, Windows and Android-based
  • Other devices not yet announced or even envisioned

Benefits of BYOD

There are benefits to the enterprise and to employees for allowing these types of connections.

  • An employee who needs to work while travelling on company business doesn’t need to carry two devices, the one supplied and managed by the company and the personal one for personal email and other communications
  • The company may be able to shift some expense of IT equipment and software purchases to its employees if those employees want to deviate from equipment or software supplied by the company
  • The IT group may cut back on certification of some equipment and software for which it is no longer responsible
  • Employees may be more productive using the same technologies at work as they use at home
  • Employees who used to forward email or email corporate data to their home computers for working off company premises can take advantage of cloud-based technology to synchronize their email with their own devices or make data available directly to their own portable equipment for continuing the work day off-site if needed
  • Employees may be more satisfied with the equipment and technology they use since they have their choice of technology and need not accept equipment and software that they are assigned by IT

Costs and risks

Unfortunately, some benefits may also be construed as negatives.

  • New hire candidates may view a BYOD policy as an unfair disadvantage if they don’t already own their own equipment or as an undesirable personal expense if they are willing to settle for company-supplied equipment but the company strongly encourages employees to purchase their own equipment
  • IT staff may be required to support an increasingly complex user base with a growing variety of equipment and applications

Security is a major concern depending on the extent to which BYOD access is permitted, for example:

  • Allowing use of available networks for Internet personal use
  • Downloading corporate data onto a personal device for working off-site
  • Connecting to the corporate network for accessing or manipulating corporate data
  • Connecting to the corporate network from off-site
  • Exposing employees’ devices to unprotected Wi-Fi and easily downloadable application software. This becomes a corporate concern when these devices may be used in the workplace or connected to the corporate network

The costs would involve several factors including:

  • Developing and maintaining the company’s list of devices acceptable to its BYOD program
  • Identification of security risks from all BYOD devices on the list
  • IT and user implementation of practices to mitigate these risks
  • IT management of all acceptable devices’ security features
  • Monitoring employee equipment to ensure that all BYOD policies are being observed. Deviation from policies of equipment content and capabilities may require determining if this is unintended or intentional and taking appropriate action

The 2012-04 release of Information Technology PolicyPro (ITPP) introduces Chapter 14 – Mobile Device Management. The first six policies will deal with the trend of “BYOD” or “bring your own device” in a corporate computing environment. This release includes three policies:

  • SPP IT 14.01 – BYOD: Acceptable Devices and Operating Systems
  • SPP IT 14.02 – BYOD: Systems Access and Acceptable Use
  • SPP IT 14.03 – Security for BYOD Devices

Steve Goldwasser, B.Sc.
Co-author of Information Technology PolicyPro
Published by First Reference Inc.

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at editor@firstreference.com. If you liked this post and would like to subscribe to Inside Internal Controls blog click here.
Send to Kindle

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments are currently closed.