By Rich Campagna, CMO, Bitglass
The rise of bring your own device (BYOD) initiatives throughout the business world has been emphatic in recent years and it’s easy to see why. Not only does it help to reduce IT costs and improve agility for businesses, it allows employees to access corporate data from any location, at any time, from devices they are already familiar with. The satisfaction that comes with BYOD initiatives is increasingly being seen as a key factor in employee satisfaction as well, helping improve staff retention.
However, implementing and maintaining a BYOD policy can also be an extremely challenging endeavour, with far-reaching implications for the security of a business and its data if not properly addressed from the outset. Below are three of the main challenges facing any organisation thinking of taking the BYOD path:
The shadow IT challenge
One of the major side effects of BYOD tends to be a significant rise in shadow IT within an organisation. Shadow IT is the term used to describe the use of unsanctioned cloud applications and resources within the business IT environment. Bringing personal devices into any work environment makes it far more likely that employees will eschew official business IT applications in favour of the ones they prefer to use at home. While employees may like this, it can quickly result in a loss of control for employers, leaving sensitive business emails and file attachments residing on unmanaged/unsecure applications and devices. Under new regulations, such as the incoming General Data Protection Regulation (GDPR), this will be completely unacceptable and leave businesses exposed to hefty fines if caught out.
Allaying privacy concerns amongst employees
Another key issue associated with BYOD is employee apprehension around privacy. Many workers using personal devices in a work environment are quite rightly concerned about how much of their personal data employers can see. However, whilst these privacy concerns are absolutely legitimate, employers need to ensure sensitive business data is secure no matter where it resides. As such, striking the right balance between protecting data across all endpoints and maintaining employee privacy is critical.
In light of this, appropriate BYOD policies must be put in place, with due consideration given to which types of devices and people can access which kinds of corporate data. Security can then be tailored accordingly, rather than trying to enforce a one-size-fits-all approach. The policy must also include robust exit policies for outgoing employees that use their personal devices for work, and more. Even with such policies in place, a small minority of employees are still unlikely to comply, particularly if the policies are deemed to be inconvenient or inefficient. In these situations, further education and training are usually required to reinforce the importance of personal responsibility (and the dangers of shadow IT) as part of an effective BYOD initiative.
Picking suitable security solutions
The majority of organisations new to BYOD tend to default to mobile device management (MDM) as a catch-all security solution. On one hand, MDM ensures security requirements are met, updates are installed regularly, unsecured Wi-Fi connections are rejected, and unsanctioned apps are unable to access company data. However, on the other hand, MDM tools require the installation of an agent on every employee’s personal device, which not only impacts device performance, but grants visibility into employees’ personal information. As described above, this invasion of privacy is exactly the kind of reason that employees reject BYOD policy and turn to shadow IT solutions.
Fortunately, there are now a variety of alternative solutions to MDM that are just as secure but don’t compromise employee privacy. These new solutions are data-centric, or agentless, which means they don’t require harmful software installations and they only monitor corporate data on the employee’s device, not personal information. As a result, agentless BYOD solutions are quickly gaining momentum as more organisations realise they can secure their data without compromising the privacy or satisfaction of their employees at the same time.
BYOD is fast becoming an integral part of the business world thanks to the flexibility and agility it delivers to those who embrace it. However, success hinges on the ability to implement a BYOD policy that successfully balances organisational security needs with the privacy rights of employees. While legacy MDM solutions were (and still are) too draconian in nature, the new breed of agentless solutions can deliver that balance, ensuring sensitive data is protected regardless of where it is, without compromising privacy or pushing employees towards the use of shadow IT.