Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

No byod policy? Time to grasp the nettle


Published on
A research whitepaper published in November by Ovum and commissioned by Logicalis, revealed a great many interesting BYOD trends – many of which were highlighted in a recent CXO post (BYOD Research) by Ian Cook. Perhaps the most startling, however, was the very low proportion of ‘BYOD-ers’ who have signed corporate BYOD policies.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No byod policy? Time to grasp the nettle

  1. 1. No BYOD Policy? Time to grasp the nettleChris Gabriel considers why it is that so few organisations have a BYOD policy inplace, despite allowing employees to use their own devices for corporate purposes –and highlights a series of issues that an effective BYOD policy must take intoaccount.A research whitepaper published in November by Ovum and commissioned byLogicalis, revealed a great many interesting BYOD trends – many of which werehighlighted in a recent CXO post (BYOD Research) by Ian Cook. Perhaps the moststartling, however, was the very low proportion of ‘BYOD-ers’ who have signedcorporate BYOD policies. 78% of firms have no BYOD PolicyThe research found that, globally, almost 60% of full-time employees partake insome form of BYOD, but only 20% of them have signed a BYOD policy. Is that aresult of employees simply failing to sign a policy? Apparently not. A separate pieceof research recently found that 78% of firms whose employees BYOD do not have apolicy at all.
  2. 2. If I might indulge in the art of understatement, that seems a bit of an oversight andsomething of a risk. Without a policy in place, how can an organisation exercise anycontrol over the blurring of lines between personal and corporate, and protect bothparties against the BYOD risks that are so well documented? Quite simply, theycan’t.Given that the number of consumer devices in the workplace is predicted to doubleby 2014, reaching 350 million, I’d suggest that correcting that oversight will, orshould, be a priority for a great many.However, and maybe this explains why so few firms have tackled the issue to date,putting together a BOYD policy is not necessarily straightforward. Indeed, the taskalmost certainly requires collaboration between a number of business functions –human resources, legal and, given the technical nature of the risks, IT.In fact, I’d argue that IT has a key role to play, given that the way BYOD is enabledwill shape the risks. That is, the starting point for any BYOD policy must be quantifywhat the organisation’s BYOD infrastructure enables employees to do with their owndevices when and where, how information security is protected and what can bedone if something goes wrong. That input will form a vital framework against whichlegal and HR teams can shape policies according to risks, regulations and corporategovernance.No small task, and the outcome will differ from firm to firm, industry to industry,region to region. There are, however, a few common themes that most policies willhave in common. They include: 1. The ‘Right to Wipe’. What happens when a device is lost, stolen or misused, putting the security of sensitive data at risk? A policy may stipulate that devices must be password protected, encrypted and locked, but may also give the employer the to remotely delete data when a device is compromised. Any policy setting out a ‘right to wipe’ should be very clear as to how much data can be wiped from the device and, depending on the specific BYOD approach, makes employees aware that personal data may be lost.
  3. 3. 2. Employee Responsibilities. There cannot be any wriggle room when it comes to employee responsibilities, for instance making sure devices are compliant and security software is kept up-to-date. Depending on the exact approach to BYOD enablement, it may also be necessary to restrict BYOD access to a pre- defined set of smartphones or tablets – for instance those supporting corporate access apps or specific security protocols. 3. Employer Responsibilities. Any effective policy must also make clear where the employer’s responsibilities begin and end. If an employee owned device malfunctions, who covers the cost of support or repair? Does the company wash its hands of support, or could that compromise security? Alternatively, some policies set out a sliding scale of support depending on job function – for instance, it makes sense to offer support where the helpdesk cost is outweighed by the potential for lost productivity. 4. What’s allowed? This is really the crux of the matter and where the company can limit that blurring between ‘consumer’ device behaviour and BYOD. The starting point is to work out what employees should be allowed to do with their won devices, what data they can access, and what they cannot do – within the limits set out by BYOD infrastructure and security. Obvious limits will be on ‘jail- breaking’ devices, downloading corporate data and accessing certain websites, or types of websites. But there is a balance to strike, because setting too many limits risks putting employees off, which means missing out on the productivity and collaboration benefits that BYOD can deliver.There are, of course, a whole host of other considerations. Who pays for anyadditional data allowance that might be needed, and who covers device insurance?What does the ability to access and store corporate email, files and data on personaldevices mean for processes like eDiscovery, Legal Hold and Purge?The point is, an effective BYOD policy must be comprehensive in protectingbusinesses and employees, but no so restrictive as to make BYOD practicallyuseless. Getting it right is a complex and time consuming task, requiringcollaboration across functions that may have conflicting views.Maybe that explains why so many firms have yet to grasp the BYOD Policy nettle.
  4. 4. To see more blogs written by IT leaders, visit www.cxounplugged.comCXO Unplugged is written by IT leaders specifically for C-level executives in the IT community, highlighting thelatest news, trends and topics in the industry. We encourage all readers to join in the conversation, sharingopinions and experiences. With so much information vying for readers’ attention on the Web today, we know thatC-level executives need a source to filter out the news that affects them, and their peers, on a daily basis.