The Updated 2018 CTO and CIO Guide to BYOD Strategy
The BYOD (‘Bring Your Own Device’) trend fundamentally impacts everyone in a company from Board members all the way through to contract staff. As device usage and IT consumerization has proliferated, BYOD definitions and policies have now been expanded to include BYOP (‘bring your own phone’), BYOPC (‘bring your own personal computer’) and most recently BYOT (‘bring your own technology’). At various points in the last five years it has been described as a ‘win-win’ for employees and staff alike, a ‘disaster scenario’, a legal quagmire and even an intangible benefit in kind for employees.
Modern day workforces and increasingly global supply chain logistics are two of many factors which have exacerbated the BYOD trend: there is an increasing expectation that employees will either be able to work remotely or be available to work remotely if business needs dictate. The most recent studies seem to point to similar conclusions: “use of mobile devices is essentially mandatory.”
One thing is for sure: with such a widespread impact on corporate stakeholders, Chief Technology Officers and IT Architects are under more scrutiny than ever when it comes to BYOD strategy, policy, implementation and compliance.
Why Implement BYOD?
Against this backdrop of globalisation and increased mobile device usage, there are a number of strategically desirable reasons to implement BYOD within a business.
Many Employees Are More Comfortable Using Their Own Device
A range of research has been undertaken around employee efficiencies working within a BYOD as opposed to an Employee Provided Device (‘EPD’) environment. There is a consistency in the findings over the last five or so years: employees feel more efficient, not least because they are using devices with which they are familiar. From their perspective, they have daily access to a range of mobile or tablet devices which are able to perform work tasks as well as the archetypal office desktop.
As the BYOD landscape has matured into BYOT employees are exposed to many daily personal and work communication channels across a range of devices including:
- personal emails
- work email
- mobile phone
- push notifications
- social media direct messaging
Channelling key work communications to as few devices as possible is therefore a strategic advantage for many mid-sized and large corporations looking for ways to increase end-user productivity and responsiveness.
Streamlining Communication Channels Helps Employees
In addition to the familiarity argument, employees often benefit from having their work routines made simple. This is especially the case with many aspects of the IT they need to use.
Streamlining work communications into as few channels and devices as practicable enables employees to manage their workflow better, increase responsiveness and ultimately improve efficiency.
Employees Value Freedom of Choice
Many of the world’s leading companies have taken steps to investigate and formulate cutting edge HR policy around staff recruitment and retention. Workplace flexibility has been a central consideration in these initiatives.
Employees generally value the freedom to work in different venues with conventional norms of a ‘nine to five’ workday being challenged on a number of levels. In this context, adopting a company BYOD policy in your workplace can increase the flexibility you have to appeal to a wider array of talent.
Better Integrate Remote Workers
Whilst many corporations are experiencing an increase in remote workers within their staff, some industries have always had a large remote workforce and will continue to do so long into the future. BYOD considerations are key drivers for such businesses, and the decision to adopt a BYOD policy has been shown to integrate remote workers in an effective manner.
Reduce Device Acquisition Budget Requirements
One of the most measurable benefits of adopting BYOD is the cost saving associated with device acquisition, maintenance and upgrade costs. Whilst the financial picture is somewhat more complex than this (for example, costs associated with stipends and, for the unprepared, hidden risks around endpoint security), from a cash flow and budgetary perspective there is an advantage to the BYOD model in many cases.
Improve IT Upgrades, Updates and Maintenance Protocols
One of the most resource-intensive aspects of not having a BYOD management model in place is the need to ensure that devices provided by the company are maintained and updated. The pace of technology makes it impractical for most companies to invest in up to date versions of all employee provided devices, and this makes updates and maintenance even more pressing.
Operating a BYOD model enables the individual to procure the latest devices if this is what they want to work with. They can of course work with older devices if this is their preference, and in these cases a detailed BYOD policy should cover off employee responsibilities pertaining to keeping the device secure and up to date. Additionally, any update or maintenance compliance is effectively outsourced to the employee and therefore in many cases reduced or eliminated.
Improve Employee Onboarding and Exit Processes
Mobile network management is often complicated when employees join or leave a company. This is especially the case when the devices being used to access sensitive company data are employee provided.
An efficient BYOD laptop policy and broader device policy makes the onboarding and exit processes for employees simple and seamless.
Leverage Cloud-Based Solutions
In extensive research, 90% of companies stated that they make use of cloud technology, with just under half of all respondents citing cloud solutions as a main or sole strategy.
One of the benefits of BYOD is the fact that it is inherently compatible with cloud based technology. In many cases, adopting a BYOD strategy effectively empowers a workforce to access and use advanced online resources and tools even when they are not in the workplace.
Developing a BYOD strategy
There are a number of critical steps CTOs and CIOs tend to follow when looking at updating, developing or rolling out a BYOD policy.
1. Steering Group Selection
One of the most important steps to rolling out a successful BYOD policy is to plan with an effective cross-section of stakeholders involved at the ideation stage. Ideally, the team will be small but focused and comprising back office (SysAdmin, cyber security, HR, Finance) and front office (Sales and client facing members) employees.
2. BYOD goals
The team need to be given effective frames of reference, which align the concepts of BYOD with overall business aims, targets and culture. It is very easy for steering groups to go off on a tangent which runs counter to the overall company aims around BYOD, and these potential segues should be identified and eliminated at the outset.
3. Company Interpretation of Contemporary Usage
For the steering group to function effectively, it needs to research and understand how BYOD is being used by companies not just matching the profile of where they themselves work, but also in other industries and contexts. In this way, effective cross-pollination of ideas can be assimilated and fed into the BYOD strategy at the design phase rather than as an afterthought. With this in mind, it would be wise to involve the company legal team at the outset as appropriate NDAs and other legal documentation may be required.
4. Company Policy Landmarks
With the research completed and the steering group now in operation, broad landmarks around the strategy BYOD policy document should be formed. There does not need to be 100% agreement around every area, but it is important that there is consensus over the critical success factors of the policy.
For example, if one of the fundamental principles of the BYOD strategy was that employees would only be reimbursed up to a certain amount per month, and at the same time was not flexible enough to cover employees who spent lots of time abroad incurring higher roaming charges, then the policy landmark would be unlikely to secure consensus at this stage. As CTO or CIO you should see this as a red flag which needs further consideration.
5. Company Risk Profile
Any BYOD strategy needs to be congruent with the company’s overall appetite for risk. A B2C life insurance company in Manhattan, for example, is not going to consider acceptable the same policy landmarks as a B2B Silicon Valley start-up with a growing mid-cap client base. The steering team needs to have guidance and clarity of where on the spectrum the company’s risk profile is. Unambiguous documentation with exemplar content helps to ensure this is the case.
6. Strategy Straw Man
The steering team can now work on getting an outline, or ‘straw man’, policy put together. The straw man policy will not be in any way comprehensive, but it will typically be a working document of the main landmarks and frames of reference, together with the time energy and resources needed within the company to make the policy operational.
7. Transition from Straw Man to Full Documents
Once approved by the CIO, CTO and, if appropriate, more broadly at Board level, the next stage is to build out the policy so that it is fit for purpose and ready for implementation. This is probably the most complex stage of the project given the need for various stakeholders to reach consensus around what will and will not work for them.
8. Processes and Risk Management
The company’s processes and other risk management documentation outside IT will likely be impacted by a new or refined BYOD strategy. This is especially the case where contractors are involved or where other external legislation and regulations such as GDPR, PCI or HIPAA are applicable. These policies should be re-evaluated and updated so that they align with the BYOD policy.
9. Rollout, Feedback and Review
The policy is now at a stage where it can be rolled out. Stakeholders and those accountable will all know who is responsible for each element and the time, energy and resources needed by them to ensure the policy is correctly implemented and maintained. In order to achieve this, educating the workforce on the policy is key and the policy should be integrated into existing training and coaching programmes. Set meetings should be organized to ensure that appropriate feedback from the steering group and the wider company is obtained. The policy should be monitored and reviewed at intervals to ensure that it is working for the business.
There are also a number of problematic areas which should be considered and addressed in the context of the specific business environment. These include:
Minimum Device Requirements
On an operational level, many businesses realize how important minimum device requirements are in their BYOD policy. But the devil is in the detail, and strategically it is often the case that two issues arise:
- Minimum requirements are in place but not sufficiently clear to the workforce.
- Failure to focus on one or more critical areas needed to make the BYOD policy robust.
Any BYOD policy needs to be formulated with these potential blind spots in mind.
Critical but often overlooked areas to focus on when defining minimum device requirements include:
- operating systems currently and historically used by the device and the support of those operating systems (Win 7 extended support ends Jan 14th 2020);
- specifics around the hardware being used (including flash drives and other ancillary remote storage), and;
- mobile device management applications.
Device Follow Up Policy
Corporations with significant workforces make it very challenging to monitor ongoing device status. From a strategic perspective, a thorough device follow up policy is essential if the BYOD policy factors in stipends or other reimbursement costs.
Without one, a blind spot occurs and business expenditure often ends up allocated to devices which are no longer in live, active use.
In the last few years apps have become part of the fabric of many iPad, iPhone, Mac and Android devices. The vast majority of third party apps are downloaded from reputable sources such as the App Store but there have been problematic discoveries on even the most regulated of platforms.
Many companies offer stipends or other reimbursement plans to employees who are using their own devices either in the workplace or remotely. In most cases, this is in order to offset employee costs associated with internet access and data plans.
CTOs developing BYOD strategy need to consider two main factors carefully:
- The costs of stipends and other reimbursement expenditure, both on an ongoing basis and year on year. It is easy to be seduced by the attraction of BYOD because of the initial cost savings associated with not having to provide hardware of upgraded devices to employees. However, it is also easy to see this saving offset and even overtaken by ongoing reimbursement costs. The year on year analysis is especially critical as a means of predicting and managing imminent spikes in reimbursement costs.
- The importance of an effective threshold monitoring system. BYOD policies often include ‘staged’ or threshold reimbursement plans where employees are reimbursed after exceeding data thresholds. Companies operating BYOD should be able to monitor monthly and, if business needs demand, daily exposure from employees close to data usage thresholds.
Various ‘Mobile Device Management’ (MDM) solutions can enable this tracking and the right fit for the company should be researched and implemented. This may involve the creation of a separate Mobile Device Management Policy, depending on business needs. Traditionally, MDM policies have tended to focus on security but our flagship product, ThinKiosk, enables comprehensive endpoint security without the need for separate MDM solutions.
Many companies have become wary around allowing employees to choose their own passwords for devices. But there still seems to be a blindspot around renewing passwords, including (but not exclusively):
- How often passwords need to be reset.
- Who is responsible for choosing renewed passwords.
- How and where password information can be stored.
These considerations should also be factored in to any BYOD policy.
BYOD: Security Risks and Considerations
Against the above backdrop of BYOD policy specifics, there are of course more general risk management considerations which extend beyond BYOD but which are also extremely important to BYOD policy best practices. These include:
Risk of Data Exposure
One of the major potential issues with any BYOD strategy is the risk that data could be leaked or exposed. There are many ways this can happen, ranging from occasional family’s or friends’ use of devices containing corporate data all the way through the device theft and even rogue employee actions. Any BYOD strategy needs to factor in all conceivable ways data could be leaked either unintentionally or deliberately, with appropriate risk management measures in each case.
Whilst secure servers (SSL) are becoming the standard across the internet, many websites are still lagging behind when it comes to secure servers. At the time of publication, just over 1.1million websites in the US had SSL installed, which is nowhere near the many hundreds of millions of US websites.
Employees may therefore find themselves accessing content on non-secure devices more frequently than they realise.
Hardware and Software Vulnerabilities
Under BYOD, companies do not own employee used devices. This means that drivers, apps or other software and hardware can be routinely out of date. This introduces various vulnerability risks that any BYOD device policy will need to define and manage.
Corporate and Personal Data Conflation
One of the more insidious risks for CTOs and CIOs when it comes to BYOD is the inevitable mix of corporate and personal data. Employees might save some sensitive data on their personal Google Drive in order to ‘work from home in the evening’. There is always a temptation to email oneself with documents for ease of reference. These and many other behaviour traits can all lead to corporate risk when it comes to sensitive data.
Personal devices are often not backed up effectively. This opens up the risk of potentially significant data loss in the event of device failure or even the employee losing the device. From a strategic perspective, this risk should be considered very carefully and appropriate risk management procedures put in place.
Effectiveness of IT infrastructure and Privacy Issues
In order for BYOD to work, company IT infrastructure is required which can access device data. In some cases, this can be perceived as an invasion of privacy by employees. When devising, reviewing or implementing a BYOD strategy care should be taken to ensure that all stakeholders - including employees - have sufficient buy in to make the policy work practically.
ThinKiosk: A BYOD Solution
ThinScale’s flagship product, ThinKiosk, was developed as a Windows-based solution to many of the concerns around BYOD. It enables IT departments to ensure device and data security.
With ThinKiosk employees no longer need to be concerned about employers taking control of their computers or monitoring their personal content by installing intrusive agents.
With the Enterprise Plus Edition of ThinKiosk comes Secure Remote Worker.
Secure Remote Worker, when enabled, allows the end user to maintain full access to their local PC, so when they logon, they still have a start menu and full access to their resources and applications.
However, when ThinKiosk is launched the end user switches to Secure Remote Worker, the PC is placed into “worker” mode whereby lockdown policies are applied, Windows Explorer is removed and the ThinKiosk workspace user interface is launched.
At this point the user can only access their approved work environment and the ability to pass or transfer information or data to the personal machine or indeed a USB device does not exist.
When Secure Remote Worker is switched off ThinKiosk is closed, all of the device restrictions are lifted and the end user has full control of the local PC again.
We would be delighted to discuss any aspect of the above. Please contact us here and we will get back to you to investigate how ThinKiosk can serve your BYOD needs.