JOnline: BYOD in the Enterprise—A Holistic Approach 

 
Download Article

The latest trends in IT are endeavoring to make it a remote, agile, flexible and scalable resource. With the advent of cloud, virtualization, remote infrastructures and an increasingly mobile workforce, the world of IT is increasingly becoming consumer-driven.

Consumerization has brought with it a path-breaking yet potentially disruptive concept—bring your own device (BYOD). BYOD allows IT’s customers to use their own devices, such as tablets, smartphones and laptops, and mobile applications to enable business services. It enables the organization’s staff members (operations/field staff and business users) to connect to the organization’s network and access official data on their personal devices.

While organizations view this initiative as a strategy for cost reduction and productivity enhancement, IT departments and security gurus argue that it poses a potential threat to the organization’s control over its data, making it highly vulnerable to security threats, and drastically increases the scope of support due to the vast expanse of devices, platforms and applications that are used. Thus, it is important to bring consensus and adopt a hybrid approach for framing an effective BYOD policy with minimal and clearly documented risks.

This article provides insights on BYOD, its implication to IT and how organizations need to approach and adopt it.

BYOD Industry Speak

Widespread BYOD adoption is fueled primarily by technology trends and advancements, such as the proliferation of smartphones and tablets, newer platforms (e.g., Windows Metro, iOS, Android), app stores, app streaming and storage in the cloud, desktop and application virtualization, and changing employee preferences (those who find it more convenient to use their private devices for personal as well as professional use). Gartner has predicted that by 2014, approximately 1 billion smartphones and tablets will be sold globally and 90 percent of organizations will support corporate applications on personal devices.1, 2 In a recent report, Forrester revealed that around 60 percent of organizations in the US already permit BYOD.3 Aruba interviewed IT professionals working for 130 hospitals and found that 85 percent of hospitals are providing access to physicians and staff through personal mobile devices.4 Good Technology, in a survey of companies in different segments, found that, among the total number of organizations surveyed across industries, 72 percent of organizations currently support BYOD (figure 1), and across the industries surveyed, the finance/insurance industry has the highest rates of BYOD adoption at 35 percent (figure 2).5

Figure 1
Figure 2

These studies show that organizations across various industry domains are adopting BYOD, albeit at different levels. It is too early to predict what key factors are driving the levels of BYOD adoption. Organizational strategy, budgets, type of IT infrastructure in place, business growth, field user levels, technical support capabilities, resource scalability and business confidence in IT are some of the common considerations to BYOD adoption, irrespective of the industry.

Advantages of BYOD

BYOD envisages a win-win situation for organizations as well as employees, given a policy is framed carefully addressing critical success factors and risk. BYOD offers numerous advantages over traditional IT including:

  • Asset management—A well-managed BYOD environment may result in reduced load on asset management as the asset management team need not capture the employee-owned asset details in as much detail as the case would be for company-owned assets. For example, in the case of a company-owned laptop, the asset management repository must have all the details related to hardware (e.g., RAM, hard drive), OS, installed licensed software and support-related details; while in the case of an employee-owned laptop, the asset management repository may not capture the details related to hardware and OS as the organization is not responsible for providing any hardware or OS-related upgrades. This may potentially save time and effort for asset management.
  • Cost advantages—Cost reduction is achieved by offloading device procurement, maintenance and data plan charges to the employee. Citrix Systems is one such organization that has realized remarkable savings over three years. IT had been investing approximately US $2,600 for the procurement and support costs of notebooks, and after BYOD implementation, it pays US $2,100 in stipends to its employees to buy and use a notebook without the responsibility of device support. The net gain works out to US $500 in savings per device over three years.6
  • Employee satisfaction—BYOD brings with it flexibility, familiarity, anytime and anywhere access, and connectivity. This results in a mobile and flexible workforce and higher productivity. Aberdeen Group found that among the top 20 percent of firms implementing BYOD, there was a 90 percent success rate of critical information availability within the necessary time frame—a 42 percent year-on-year improvement.7 Since most employees/consumers prefer devices with updated technology, BYOD also brings with it the benefits of the latest features and a superior user experience. According to the Aruba survey, 58 percent of the hospitals surveyed use virtualization to access applications on tablets.8
  • Efficiency—BYOD can improve business process productivity by eliminating paper-based, manual or onsite requirements for dispatch, inventory management and helpdesk support. Unisys Corp. has realized a cost savings of US $50,000 in licensing costs and the autoprovisioning process (built in-house) reduced help desk calls by US $1,000.9

There are also environmental benefits to BYOD: optimum hardware utilization and a reduced carbon footprint by usage of the same device for personal and work use.

Challenges of BYOD

Chief information officers (CIOs) face a number of challenges around device control, data security, consistency of delivery, platform/device selection and support creep in a BYOD environment. The catch is to ensure that user experience is unaffected while addressing the following challenges.

Security and Compliance
BYOD may expose the organization’s data to misuse, theft and vulnerabilities. Due to the ability of devices to interconnect and share resources, access to the corporate network is possible for a nonauthenticated device tethered to an authenticated device. Data breaches may also happen if the device gets stolen or lost. It is also possible that data can be transferred or shared through social media, local or personal file and cloud storage, webmail, instant messaging, and other communication channels. This puts confidential data at risk if device usage is not monitored.

Since a BYOD environment offers more flexibility to employees in terms of how the device is used, which apps and software are installed, when to install new updates and so forth, this practice may lead to devices being more vulnerable to attacks compared to organization-owned devices, on which the organization may put restricted policies on all the previously mentioned activities.

BYOD opens up doors to virus and malware injection into the corporate network. An infected user device that was previously connected to an insecure network may expose the corporate network to unexpected security attacks. Thus, firewalls and intrusion-prevention techniques are essential for smartphones and every other device that connects to the corporate network.

Regulations and standards such as the Payment Card Industry Data Security Standard (PCI DSS), the US Health Insurance Portability and Accountability Act (HIPAA) or the US Gramm-Leach-Bliley Act (GLBA), which mandate safeguarding of data and specify certain rules pertaining to information usage and security, have to be considered before implementing BYOD. According to the requirements of PCI DSS, all devices used in processing payment card transactions must implement encryption and passcode protection. Similarly, the US Health Information Technology for Economic and Clinical Health (HITECH) Act states that health care organizations are accountable for:

  • The confidentiality, integrity and availability of the electronic protected health information (ePHI) of their patients
  • Maintaining a record of disclosure of patient’s PHI, failing which they may incur financial penalties in the case of data breaches
  • Ensuring that patients know who has accessed their PHI records and when

Network/Support Capability and Platform Compatibility
BYOD can result in a plethora of additional devices being supported by the IT infrastructure and staff. If BYOD is implemented without having enough staff with the required skill sets and clearly defined boundaries for scope in place, BYOD adoption levels, user satisfaction and user productivity will decrease. New skill sets will also be required for the service desk, application development and maintenance teams because they will no longer be developing apps for a single environment. Applications and their security must be customized to support different platforms across diverse devices. Mobile device management (MDM) is an essential component of BYOD operations, but there are no commercial off-the-shelf (COTS) solutions for MDM that work on every platform. Network upgrades may be needed to support the increased number of devices.

Financials
A BYOD setup appears to be cost-effective initially as capital expenditure (CAPEX) costs are reduced because of user ownership of the device. However, it may be neutralized by the cost involved in other areas such as planning, implementation, operations and scalability. Hence, realization of cost benefits should be expected over a longer term.

Operational expenditure (OPEX) may increase as users may prefer individual data plans that may be more expensive than company-provided plans, which have the benefit of corporate leases in bulk for telecom services. Also, in the case of company-owned devices, organizations can leverage volume discounts from device manufacturers. BYOD negates those benefits as well.

OPEX may also be higher due to the requirement of telecom expense management (TEM) to track investment and costs in the mobility space. In an organization, non-BYOD setup TEM is addressed by the telecom service providers.

Another consideration for financials is additional support costs, as development of capabilities on newer platforms and technology will require training and skill upgradation. Additionally, employee awareness programs, program/project management, compliance and infrastructure upgrades are other prominent items on BYOD expense sheets.

Employee Privacy
The IT department’s level of control over a privately owned device may conflict with the employee’s user experience. Defining the boundaries of corporate control over the data residing on personal devices is a major issue. There may be cases where the employee’s personal information is lost due to remote wiping.

In a survey conducted by Trend Micro, 91 percent of employees did not want employers to control their devices in order to access corporate applications, while nearly 80 percent of organizations believed in their need to have authority or control over devices through MDM mechanisms.10

There are also legal aspects regarding device usage in case of a shared environment, such as BYOD, where usage is hybrid with a mix of work-related and personal activities. For example, an employee can install an unlicensed application or access objectionable content that would not have been accessible on an organization-provided device. Such risk factors mandate that an agreement be signed between the employee and the organization to cover the liabilities pertaining to ownership and activities.

Keys to Success with BYOD

An effective BYOD program should strike a balance between user-centric and device-centric strategies. Stakeholders, including customers, organizational functions (such as IT, human resources, sales, legal and marketing), leadership and the executive board, have to be involved in policy framing to avoid loopholes and ambiguity.

In the interest of the previously mentioned stakeholders, the keys to success include:

  • Define a clear and inclusive BYOD policy—A clear and crisp BYOD policy must be carefully crafted to ensure that the BYOD program remains sustainable over a period of time. Organizations should not fall into the trap of defining a rigid policy. To be sustainable, the policy must meet the requirements of both IT and users, for example:
    • Secure sensitive and proprietary corporate data.
    • Minimize overall asset ownership cost.
    • Ensure that the user experience is not compromised.
    • Allow mandatory updates, nondisruptive upgrades and technological innovation.

    IT departments often emphasize the first two requirements, but it is of utmost importance that the last two be also focused on as they are key to sustaining employees’ interest in the BYOD program over the longer term. If the BYOD policy compromises the user experience, employees will find ways to work around it or drop out of the program, thereby defeating the purpose of having a BYOD policy.
  • Focus on securing data-in-transit and data-at-rest—The ability of smartphones and tablets to connect to the organization’s intranet through public Wi-Fi and mobile networks, which are more prone to security attacks as compared to the organization’s LAN, mandates the need for specific controls to protect data-in-transit. The following are techniques that organizations can consider for securing data-in-transit:
    • Encrypt data transmission between the device and the corporate network through a Secure Sockets Layer (SSL) virtual private network (VPN). For example, A VPN client named Junos Pulse was implemented to provide secure remote access (SSL VPN) for mobile devices to connect to the Unisys Juniper infrastructure (intranet).11
    • Create and deploy user identification/device certificates to quickly and easily provide users with secure access to corporate resources.

    Most smartphones and tablets support VPN for allowing a secure connection to the corporate network protecting data-in-transit, but do not secure the information stored on the device—data-at-rest. In the case of organization-owned devices issued to an employee, the organization has a number of controls in place such as encrypting data on the device, applying security patches and monitoring device usage. These dictate devices’ compliance with the organization’s security policy and enable secure connectivity to the organization’s network. However, on employee- owned devices, the ability to implement these controls is restricted. When it comes to protecting data-at-rest, most mobile devices either do not have device encryption or the encryption can be hacked easily by jail breaking or rooting the device. A Harris Interactive survey commissioned by ESET revealed that 33 percent of those surveyed agreed that the company data on their personal devices were not encrypted and another 33 percent did not know if they were encrypted, meaning that as few as one-third of people are encrypting company data on their personal devices.12 To overcome these challenges, the organization should consider implementing compensating controls to protect the data-at-rest and, in turn, reduce the security risk to an acceptable level.

    The following are examples of compensating controls that organizations should consider:
    • iOS jailbreak or Android rooting detection is implemented to prevent compromise of devices.
    • Secure container segregates the storage area for corporate and personal data on users’ mobile phones, smartphones and tablets. The device integrity (which ensures that it is not affected by malware or viruses) is checked before the containers start, which reduces the risk to corporate data. Also, the container with the corporate data can be independently wiped without accidentally wiping the employee’s personal content.
    • The ability to remote wipe corporate data is mandated in a BYOD environment and apps such as 3CX Mobile Device Manager, Mobile Defense, Android Lost, Mobile Me and Google apps must be considered.
  • Ensure compliance—Organizations must ensure that BYOD implementation is carried out in alignment with legal, regulatory and organizational standards. In consideration of these, a tracking mechanism has to be implemented to record the email details (i.e., the sender, recipient, time stamp, content) for purposes of legal e-discovery and regulatory compliance. For example, ePHI and confidential data sharing need to be handled through secure channels and the entire information life cycle (for email, data and documents) needs to be documented with security implications and maintenance procedures and audit trails enabled where required. This is reflected in the Aruba survey in which IT teams working in hospitals say that only 24 percent of hospitals that have implemented BYOD provide at least limited access to hospital applications and patient data.13

    BYOD should be an integral part of the enterprisewide risk-assessment initiative, identifying opportunities and threats, and a risk management strategy must be in place for the same. Policies must be in place for asset management (to track access), configuration management, patch management, access management and security audits. Employees must be trained regularly on information security policies, and a strong password policy must be in place. IT controls like secure texting can be used to take care of security issues since these messages are on a closed network and the messages can be deleted by the hospital or concerned authority, or can be set to delete automatically. Devices and the network should be updated with the latest security patches; device integrity should be continually monitored; and data and application privacy, protection and entitlement should be enforced and monitored to prevent hacking and malicious attacks.
  • Develop and manage a list of supported platforms and devices—The primary driver behind BYOD is that employees prefer their personal devices to those provided by their organization. A study conducted by Dimensional Research revealed that 87 percent of employees use their personal devices for work-related purposes.14 The most common example may be an employee who has an organization-issued device for work and a different type of personal device and would prefer to carry only one device instead of two. However, in today’s world where consumer preferences shift frequently and the devices and apps landscape keeps evolving, employee freedom on device selection should be carefully thought out.

    IT must also develop a list of supported devices and platforms and allow employees to use any device as long as it is on that list. IT should work to update this list continually, adding new devices and platforms. The BYOD policy should clearly state that any employee-owned device should be set up for business use before getting access and should be registered as a user’s official device. This typically means that the IT group prepares the device for business use by:
    • Enabling security features and MDM to implement security policies
    • Enabling corporate network and data access
    • Installing business applications
    • Segregating business and personal data
  • Figure 3Equip the staff—The IT teams in place (developers and support) to partner with the business must be trained on new technologies and platforms (e.g., iOS, Android, Metro, Symbian, Blackberry) to effectively support BYOD. A continual service improvement (CSI) program should be in place for IT personnel to assess their current skills, roll out training in required areas, encourage improvement initiatives and reward excellence (figure 3).
  • Consider investing in mobile apps development—BYOD causes a shift in the way applications are developed and delivered, as organizations have to develop applications for multiple environments. An organization app store is a critical step toward gaining more operational control over the application environment. Organizations must plan to have a unified delivery method for apps, as development across multiple platforms results in huge CAPEX expenditure and increased operational complexities. Custom applications should be distributed through an organization app store. There must be a facility to identify, segregate and secure critical business apps by using a VPN-like tunnel (i.e., mobile app tunnel). Malicious apps should be blocked via a mobile app lock that detects the security vulnerabilities associated with a particular app by testing an application for security threats during runtime.

    Web browser delivery using HTML5 coding allows a single app to be supported across multiple devices and platforms. As far as software development languages are concerned, HTML5 offers advantages such as cross-platform compatibility, offline storage and synchronization. Concerns such as inconsistent compatibility with different devices and browser memory management have to be considered before adopting BYOD.

    User experience can also be enhanced by using technologies such as Responsive Web Design, which adapts the layout to the viewing environment using techniques including flexible grids, flexible images and cascading style sheets (CSS) media queries.

    Although these are not perfect solutions, they do provide an alternative to the high costs and increased development windows for building individual native apps for each device and platform.
  • Ensure that corporate network infrastructure is capable of meeting BYOD demands—An increased number of employee-owned smartphones and tablets getting connected to the corporate network through BYOD makes it imperative for organizations to be proactive in addressing potential bandwidth and security issues. A separate guest wireless network can serve as the enrollment network for employee-owned devices. Automated evaluation and privileges and restrictions assignment (access to company email, Wi-Fi and VPN configurations) should take place through the MDM solution based upon policies created after enrollment. Devices that do not comply with the security policy should be blocked.
  • Include decommissioning as part of BYOD policy—A significant issue arises when it comes to ownership of the device when employees change or lose their device or leave the organization, and assumes even more significance when an employee moves to a competitor organization. There should be a formal decommissioning procedure defined to facilitate a smooth exit for employees and/or devices leaving the organization, or the company runs the risk of sensitive propriety data being compromised. An agreement should be signed between the organization and the employee that allows for wiping the complete device including personal and corporate data in the case of a lost device. An auto wiping can be enabled following a number of failed login attempts and an auto-lock can be activated in case of periods of long inactivity.

    The organization should also develop a process about which business data or apps are to be removed or revoked upon employee departure. The organization could follow a semi-wipe option which would leave the employees with their personal information intact while wiping the business data.
  • Use an affirmative contract for policy agreement—The agreement between employee and organization should be equivalent to an affirmative contract. Both parties must assume accountability over the knowledge of what is in that contract, thereby ensuring no ambiguity in understanding. End users should be assessed on their knowledge of the BYOD usage policy and must sign the affirmation periodically (e.g., twice yearly). The user agreement should include clauses around the following at a minimum:
    • Data wiping to prevent data misuse in case of lost/stolen devices
    • Data access and camera use to prevent illegal/prohibited access and data sharing
    • Email and social media usage
    • Confidential/sensitive data-handling procedures
    • Triggers for reporting data theft and misuse

Conclusion

In a world where sustainable success is increasingly elusive, focusing on increasing productivity through BYOD may be a profitable strategy. That said, integration of BYOD into the existing IT infrastructure is not an easy task. To reap the core benefits of BYOD, organizations need to carry out an initial assessment to verify BYOD readiness, and security and support gaps need to be filled to implement BYOD with acceptable risk levels. A comprehensive approach is essential for BYOD adoption, resulting in IT becoming user-centric, as opposed to its earlier support-centric stance. Capability development and constant knowledge/skill upgrades are key differentiators in providing a superior user experience.

Before implementing, organizations need to consider whether high operational costs may even negate the cost savings that BYOD can bring in the near term. With security policies and employee awareness programs in place, BYOD can bring benefits in the form of user experience, increased productivity, user satisfaction, mobility and reduced CAPEX. Further, data resource management (DRM) can be used so the actions on data can be specified in advance.

BYOD is not a project or a program. It is a commitment to adopting technology and innovation, and as with all other tech initiatives the IT department should be at the center of it fueling business need and advancement.

Though user experience is a key objective of BYOD, the organization’s stakeholders (e.g., its customers and shareholders) are also of primary importance. A breach or misuse of sensitive, customer or financial data could be detrimental to the success of BYOD. Hence, an organization’s BYOD implementation should be based on an effective strategy aligned to its business objectives (e.g., growth, productivity, mobility, faster time to market) with an effective support structure in place, monitored by MDM and data privacy policies since security and support are paramount to its success and scalability.

References

Endnotes

1 Bradford Networks, “Ten Steps to Secure BYOD,” 2012, www.bradfordnetworks.com/ten-steps-to-secure-byod
2 Network World, “Managing Your Employee’s Device,” Special Report, February 2012, www.networkworld.com
3 Werth, Whitney W.; “Bitzer Mobile Solves BYOD Security and Usability Clash for Enterprise Mobility,” March 2012, www.bitzermobile.com/press-release-9/
4 Op cit, Network World
5 IT World, Good Technology State of BYOD Report, white paper, January 2011, www.itworld.com/mobile-wireless/247888/good-technology-state-byod-report
6 Joch, Alan; “BYOD: A Cost Saver or a Curse?,” April 2012, www.biztechmagazine.com/article/2012/04/byod-cost-saver-or-curse
7 Gourley, Bob; Alexander Olesker; “The Current State of BYOD,” May 2012, http://ctolabs.com/2012/05/currentstateofbyod/
8 Op cit, Network World
9 Unisys Corp., “Unisys Empowers Employees With Anytime, Anywhere Access to Mission-critical Applications,” 2012, www.unisys.com/unisys/common/download.jsp;jsessionid=D686D96891546594833F030CCA056305?d_id=1120000970022510165&backurl=/unisys/ri/cs/detail.jsp&id=1120000970022510165
10 Trend Micro, “Bring ‘em on!”—The Consumerization of Enterprise Mobility, white paper, 2011, www.trendmicro.com/cloud-content/us/pdfs/about/wp_bring-em-on-the-consumerization-of-ent-mobility.pdf
11 Op cit, Unisys
12 Cobb, Stephen; “BYOD Infographic: For Security It’s Not a Pretty Picture,” 4 April 2012, http://blog.eset.com/2012/04/04/byod-infographic-for-security-not-a-pretty-picture
13 Op cit, Network World
14 Dimensional Research, “Consumerization of IT Survey 2011,” September 2011, www.kace.com/~/media/Files/Resources/Analyst-Reports/Consumerization-of-IT-Survey-2011.ashx

Srikanth Ravindran is a service management/ information security consultant and ITIL practitioner with Infosys Ltd. Ravindran has the ITIL v3 Intermediate and COBIT 4.1 Foundation certificates. He can be contacted at srikanth_ravindran@infosys.com.

Rajat Sadana is a process consultant with Infosys Ltd. He is an ITIL expert and holds the ITIL v3 Intermediates, ITIL v2 Practitioner and COBIT 4.1 Foundation certificates. Sadana can be contacted at rajat_sadana@infosys.com.

Deepa Baranwal is an associate process consultant with Infosys Ltd. and holds the ITIL v3 Foundation Certificate. She can be contacted at deepa_baranwal@infosys.com.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.