BYOD SCOPE: A Study of Corporate Policies in Pakistan


Published on

BYOD model is used to enhance productivity by recommending employees to be connected to organization’s network 24/7.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

BYOD SCOPE: A Study of Corporate Policies in Pakistan

  1. 1. BYOD SCOPE: A Study of Corporate Policies in Pakistan Dr. Zahid Anwar, Shuja Ahmad, Haris Javaid, Muhammad Arslan Ejaz Abstract--- BYOD model is used to enhance productivity by recommending employees to be connected to organization’s network 24/7. There are several major issues related to securing the information which must be in consideration by IT department of the company. They must assure extreme level of data protection, operability, and efficient manageability. BYOD can give efficient, easily accessible, satisfied and instantaneous results; but without the right policies, organizations can have unwanted risks. Data security breaches have been an issue for years, but still risks are increasing day by day with the growth in mobility and variety of devices. Currently there are many organizations in the world (a few in Pakistan) that are using BYOD. As these devices are increasingly being used in the organizations and as companies provide smart devices to which user can easily add any desired application, conflicts arise. Who owns the application on separately owned devices? Is there any restriction mechanism? And if user leaves the company what will happen to the device? We describe all the prominent policy features and data breeches that have occurred against those features. I. INTRODUCTION Bring your own device (BYOD) can be defined as the rules and policies by which the employees are allowed to use their personal devices in their offices for example smart phones, tablets etc. They can use these devices to get access to the information and applications of organization that are accessible for them. The terminology is also useful in the education sector applied on students. Some people have confidence that with the usage of BYOD, employees working in the companies are supposed to be more productive due to the fact that t grows the employee self-confidence and ease in accessibility by using their own smart devices and thinks that the company is flexible. It creates a challenge for the management of organization; it has a lot of involvement beyond the IT sector. Although many may not know about it, some employers are able to track all the activities of their employees i.e. locations during working hours, applications they have installed, view or delete their personal data. The Adaptive Mobile [1] study showed a survey conducted by Harris Interactive [2], there were two kinds of audience targeted in the survey, Users and IT Decision Makers from 1,000 IT decision makers and 1,000 employees, 83% of staff would stop using their own device, or use with deep concern, if they knew their employer could see what they were doing all the time. There are some important questions like “Who will be the owner of the data?” or “Does the company have the ability to remove some or all of the data on a device in case of security concern?” Mobile devices, specifically smartphones are present everywhere. Due to this, businesses are now starting to evolve "Bring Your Own Device" policies to allow their employees to use their smart devices and stay connected to the organization. However, there are some notable attacks and obstacle to get maximum device resources; it is difficult to trust these devices with access to critical information relating to a particular owner. If an organization is going to encourage a BYOD policy, it needs to have a lot of security discipline, and needs to have staff to manage the environment 24/7. So it needs to design a set of rules (related polices) so it can ensure security within implementation of this model. But most of the time companies have no policy due to which they suffer from breach of sensitive information. Our analysis showed that if companies have bad policies and having no deep concentrations on BYOD they must face data breach within no time as technology is evolving day by day, and new technologies, new opportunities are emerging very fast in IT world. We analyzed some breaches
  2. 2. occurred in these specific organizations and it showed the weakness, fault and problems within the policies of the model. If we make a comprehensive policy that covers the solution of maximum problems that may occur in the company, we can protect our crucial and sensitive data while having full usage of BYOD. In the next sections we will suggest and explain what points and rules must be there in the policy to get maximum avoidance from data breaches. Our concern is to find all the possible answers the key questions related to the present model. We specifically focus on the key components i.e. familiarity, awareness of employees engaging, application and information types access, formal company policy, mobile device management, employees data security, importance of security, benefits, recovery responsibility and all the risks related to the model. Further in section 2 we will describe the work done by other authors. II. RELATED WORK Antonio Scarfo described in his paper [3] about a security experience BYOD (Bring Your Own Device) as; it is a different habit shows an opportunity and a challenge as well for the organizations. The challenge leads to some critical risks. The smart device that is in use for both working and personal activities cause some new security issues IT companies would have to face. The security models summarized by the author have two approaches: hands-on devices and hands-off devices. The hand-off approach is effective if there is a concept of virtualization where the daily basis operations are done by the employees’ themselves, as virtualization style. On the other hand the hands-on approach (e.g. MDM) is based on perfect control of these smart devices allowing the organization to control, monitor, and manage data, software installed, applications settings, network usage, together with the utilization of the devices and the behavior of the end users. In the perspective of BYOD the end users are convenient with the first approach because of easiness; however, in the coming time it might be possible that this approach would integrate some key features related to MDM to get some more benefits in security point of view of company. There must be some relation between policies, roles and the legal agreement between companies and employees that should be counted as an important issue. Finally, the most important thing is: if an enterprise wants to accept BYOD, its acceptance style should be simple, easy and friendly, the necessary rules, elements should be enforced just in presence of hard situations and let them leave free to choose their devices by considering the right kind of tasks, roles, and operating knowledge. IT delivery model can be used to provide these sorts of things. Ruth Lennon briefly described in his paper [4] that IT managers from all over the world must have to change their attitude towards today’s workers and learners. The more advance point of view to upgrade to bring your own device with high resources on the cloud seems assured. However there is a requirement for BYOD users to re-evaluate their attitude toward their own devices’ security and the resources they used, due to increase in mobility trend and flexibility in IT. Author mentions a determination of business user’s attitudes towards using BYOD for business. He also describes the results of a survey of on business users attitudes towards resources stored on the cloud. In the end there are some suggestions made regarding the help that should be given to the users’ for prevention of security risks in BYOD and the Cloud. The brief analysis above indicates the general lack of knowledge of system users as to the risks surrounding the user of personal devices such as laptops. Due to lack of security in applications used in BYOD the users’ general trends have small amount of information. According to this it is absolutely necessary that there must be education and awareness programs conducted for the users of BYOD & Cloud system so they can mitigate the security risks of such systems. Another BYOD related paper [5] showed the trends in analysis and technology of development of information systems strictly indicate the frames known as cloud computing. In the cloud there are certain advantages and as well as challenges related to the Information systems. System security is very important so it requires more care and more attention. There are some general Problems, meaning they are anyway equal to the main business function for which that particular IS being developed. Since
  3. 3. decades the real treatment of activities known as eLearning requires additional reflection in education. It should be handled as system with all its functionalities and additional specificities. Independence of location and time of realization provides an additional possibility. This means there is a possibility of integrating the personal user’s equipment in eLearning. If we talk about BYOD in practical information science, it supposes that smart devices are helpful for the final users to approach their business resources. This paper examines the readiness of student and teachers to adopt such teaching modes. Fast development of information science in all its fields has been accompanied by frequent modifications of paradigm used in information systems development. Specificities of connections between business and information systems are necessary consequence of these modifications, especially due to influences of mutual changes in a mode of business’ organization. BYOD frame isn’t dependent of business itself in the same measure that business can be independent in any segment or form of place and time of realization. Since eLearning is proclaimed as location and time independent, BYOD organization offers additional possibilities. Primarily this could significantly make educational process cheaper which is the strongest recommendation for such organization. Further researches could pay attentions to specific forms of business such as eLearning or Cloud Computing. This research hasn’t insisted on specific sort of business or suggested any specificities of business. This supposed to emphasize the generic possibilities of BYOD paradigm. Khoula Alharthy published a paper [6] in IEEE that briefly discussed about the security of (BYOD) as the way to protect organization’s network against Variety of threats which come through mobile devices and access channels. The author explains the implementation of security solution in higher education institution in Oman. This security solution helps to protect the network data from unauthorized access, as well as, controlling unmanaged devices which are smartphones and mobile devices. Research will follow these steps starting with literature review, data collection, analysis; design the network structure with suggested solution and implementation for BYOD security solutions. As well as, monitoring the network performance with the implanted solutions to keep track if traffic flow with high availability and security. This research paper will help to facilitate the work to the network users through allowing BYOD as well as increase the network availability, ability and security through 802.1x, CA and RADius. The research presents a set of principles that any organization should follow before implementing the BYOD framework. As a consequence of these principles one is provided with availability, usability, mobility and security. A summary of all findings that has been listed through the research steps indicates that the BYOD framework should be applied in phases which are not the typical case as in other systems in which the IT team will configure and then train the users about using. Upgrading the network infrastructure and adding mobile VLAN with using 802.1x as encryption algorithms and support RADius and CA for authentication was only the first step of implementing BYOD in the organization and few more steps are required to achieve secure BYOD. Such as, upgrade the storage capacity to handle data three times more than the capacity that it currently can. Monitor the wireless performance and wireless bandwidth. All mobile devices such as smartphones and tablets are now able to access through wireless connection. III. RESULTS As the result of our survey in some organizations, we found some interesting things about the model implemented in those organizations. Then we compared our results with companies in the developed countries.
  4. 4. Employee’s awareness; Fig.1 % of employees using BYOD Fig.2 Aware of all employees’ access Mostly organizations said they were aware of the connectivity of the employees’ devices in the network. 39% were not aware by the connectivity. In comparison to developed world, in Pakistan mostly employers are aware of accessing data but there are very less BYOD implemented infrastructures. Fig.3 Without employers’ knowledge Device and Application; It is observed that smartphones are more preferably used smart device by the users and the most used and accessed application is email. Among Smartphones--83% Among Tablets—66% Other—14% Fig.4 typically accessed application In comparison to developed world, mostly applications in organizations in Pakistan have very specific policy that does not include is emails related, i.e. outlook etc... Presence of formal BYOD policy; Fig.5 Have a Policy Fig.6 when the company put their policy
  5. 5. In comparison to developed world, mostly organizations in Pakistan have very specific policy that does not includes all the components of security e.g. simple policy may include restrictions on attachments and pictures are not allowed. Who bear the Costs? Fig.7 Employers’ point of view In comparison to developed world, in Pakistan cost is to be paid by some device owners and in some cases organizations provide the device to the employees on company’s cost. Policy consists of; Fig.8 when an employee leaves the company Fig.9 Policy covers Fig.10 Having MDM In comparison to developed world, some organizations have a policy, if some user is going to leave the job, they delete the account from that device and auto format all the device, others have a solution to specify what type of application can be accessed. E.g. Specs in Huawei. Company--24% Wireless Providers--9% The employee--67% Fig.11 Responsibilty The Company The Wireless Provider The employee 0 2 4 6 8 Restrictions
  6. 6. Fig.25 Responsibility of keeping employees’ device secure Companies with larger infrastructure are more likely to say the risks are more significant than benefits when it comes to BYOD. But the companies of different sizes are able to recognize the benefits. Fig.12 Companies by the size engaging in the BYOD Smaller companies are slightly less likely to have employees who engage in BYOD. Very few users have experienced cyber-attacks or had their device stolen or lost, but of those who did they are much more concerned about their personal information than their company’s information. IV. EVALUATION Section 2 and 4 discussed the features of BYOD. We can see that there is a number of concerns we may have to make things right. If an organization wants to get the best results after deploying this model they must have to insure that their policy is secure so they could get more productivity not losses. We observed some breaches in the multinational organizations that is occurred by the lacking of required concentrations in making the security policy, but in Pakistan as there is no such deployment at that level, the breaches are less or if they are present there, the mostly users don’t even know what has lost and what is the importance of that information. To make sure that there is no data breach occurring in the organization they must have to concentrate on the following points; Routine Assess Capability i.e. carefully evaluate the daily basis network access and monitor according to the policy, Use a mobile device management solution i.e. monitor and control application installed, configure and monitor devices with the use of asset tracking and reporting, Deploy high defense security i.e. Mobile Device Management with geo-fencing and use of virtualization can be helpful in separating the personal and business data. We have surveyed three companies. Two were telecom companies and one was an internet service provider. All three were having BYOD policies although employees were not aware of this term “BYOD” but they were aware of connecting devices to workplace internet. ISP firm was having more professional IT and IS people. Employees were allowed to access emails on their devices. Official 0 20 40 60 80 Less than 500 500 or more 0% 50% 100% Less than 500 500 or more Risk strongly greater Risk somewhat greater Benefits somewhat greater 0 50 100 Personal Company's Very Somewhat Not very Not at all
  7. 7. data was not allowed to be fetched on mobile device. In one Telecom Company there were almost same policies as mention before. But they were also using an application called SPECS that keeps logs of user activities. Whenever user sends request for particular site or data it passes through this application window and in the same way data was downloaded through this application. Secondly employees were not allowed to take snaps of official data through smart devices. This activity was being monitored by CCTVs. The same company also gave laptops to its users with already installed applications. Ports of these devices were also blocked so that users may not use flash drives. When we asked about data breaches we came to know that there were few incidents of breaches. One employee tried to send official data to his personal email account using office account but this activity was logged and notification was sent to the employee. In another case an employee bypassed the official network by accessing internet using GSM. He download virus on his laptop and that caused alarm in network. In response to this activity an email was sent from higher authority to all employees that they should not click on virus link. Second Telecom Company also implemented BYOD but officials were very reluctant to share any information about the policies or security breaches. One thing that they were ready to share was that they were also allowed to access only emails on mobile device. That company was using Microsoft security tools on laptops but officials did not disclose the name of that tool. On their end there were valid reasons as this is a confidential matter so maybe they were not ready to share any information with us. Are you aware of your Business goals? Identify your goals Analyze existing policies Understand end user cases accordingly Determine support capabilities Determine your needs and phases Define segregation of personal and organization data Define minimum device requirements Define stipend and payments Define stipend and payments Yes No Do you still feel BYOD will make sense to you?
  8. 8. V. CONCLUSION Some say; “BYOD is the wave of the future so companies need to get on board” others say; “BYOD is a fad that will soon fade”. Companies emphasize “data protection”, “security of device”, and “employee compliance” as their chief concerns. Users recognize BYOD may be wave of the future and organizations feel the benefits should be heavier than risks. The major problem that multinational organizations are facing is with the BYOD policy of the organization. But in our country it is awareness of the technology that must be assured to make full use of BYOD. In Pakistan there is a huge need of giving knowledge to employees as well as organizations. Our survey showed that there is very less know how to the employees and little bit more knowledge to the employers. VI. REFERENCES [1] [2] [3] F. Palmieri, and A. Castiglione, "Automatic security assessment for next generation wireless mobile networks". In: Mobile Information Systems 7(3), IOS Press, pp. 217-239. 2011. doi:10.3233/MIS-2011- 0119 [4] G. Lennon. R , “Changing User Attitudes to Security in BYOD” Computing Department, Letterkenny Institute of Technology Letterkenny, Publication Year: 2012 [5] Scarfo, A. Broadband, Wireless Computing, Communication and Applications (BWCCA), 2012 Seventh International Conference on Digital Object Identifier: 10.1109/BWCCA.2012.79 Publication Year: 2012 , Page(s): 446 – 451 [6] Khoula AlHarthy, “Network Security Control Solutions in BYOD” Department of Computing, Middle East College, Muscat/Oman, 2013 IEEE International Conference on Control System, Computing and Engineering, 29 Nov. - 1 Dec. 2013, Penang, Malaysia [7] [7] VII. Appendix A Survey consists of following questions. a. BYOD Policy exists or not b. Type of accessible data c. Employees’ Awareness d. Most using device e. Mostly used application f. Security of Device g. Personal or company’s data concerned h. Site restrictions i. Handling of BYOD IT or IS j. Responsibility of cost k. Effect of using BYOD VIII. Appendix B We conducted the survey by going to regional offices and communicating with the IT officials of three companies of Pakistan. But we are not allowed to disclose the names, because they use some sensitive tools for their data security.