Make sure your company’s BYOD policy doesn’t stand for “bring your own disaster”

Employees and their very individual IT preferences are going rogue—a dangerous trend for employers.
Employees and their very individual IT preferences are going rogue—a dangerous trend for employers.
Image: AP Photos/Joerg Sarbach
We may earn a commission from links on this page.

Here’s what happens when employees bring their own device to work:

They still expect to use the same programs and apps as before. But the majority of smartphones, tablets and apps are built for consumers.

To get access to the same collaboration tools they feel entitled to use, enterprise employees and entire departments take matters into their own hands. They take it underground; they find workarounds. They spin up “Shadow IT” environments without IT department knowledge or approval.

These programs, by design, do not meet the security requirements of most IT departments. And so they raise the stakes for (if not the hackles of) information technologists, tasked with keeping the enterprise secure, among other things.

It’s a recipe for the so-called BYOD (Bring Your Own Device) movement to turn into Bring Your Own Disaster—a head-on collision between users and IT. Security, cost, data protection, mobility and productivity lie in the balance. It’s up to business decision makers, then, to find technology solutions that give both camps what they want. 

More Mobile Devices Than People

This year, Gartner predicts BYOD will continue to be a top tech trend. Mobile device use in enterprises will grow another 20%, according to IDC. By 2018, 70% of mobile professionals will conduct their work on personal mobile devices, Gartner estimates. And it’s no wonder. There are already more mobile devices on the planet than people, according to Forrester Research.

As employees grow ever-more tech savvy, they become accustomed to the smartphones and tablets they use at home. It’s only natural they want to use them at work, too.

The same is true with consumer apps and cloud services. There’s no shortage of useful consumer software and services today, to which users develop an allegiance. Consumers have a real need for apps and cloud services to make their lives easier and more productive anytime, anywhere. They want to share content and collaborate using technology in their personal lives, just as they do during working hours. Many of these consumer software offerings deliver amazing benefits not even imaginable just a few years ago. 

Risk to Employee Devices Is More Than Double

Herein lies the challenge: Consumer hardware and software are not built with enterprise use in mind. Their use within enterprises, by default and left unmanaged, elevates the businesses security risk profile dramatically. In fact, employee-owned devices will be exposed to more than twice the security risks of enterprise-owned devices through 2014, Gartner predicts.

The majority of consumer services, such as most cloud offerings that share and sync files, aren’t built to meet the stringent security requirements of enterprise software, either. Some of these services, however, are the exception.

While no system, application, device, or piece of technology can be 100% secure, consumer mobile devices and apps are precisely what keep IT people up at night. More than two-thirds of IT professionals believe that BYOD and consumer software increase costs largely due to the added security risks and their efforts to prevent them, according to a survey by Lieberman Software.

But IT needs to realize BYOD is driven by user demand. The freedom of choice is fueling today’s modern, mobile worker blurring the division between their work and personal lives. They want access to information anytime, anywhere from any device, and expect the same consumer friendly, ease-of-use experience with enterprise apps.

Asking For Forgiveness, Not Permission

All the while, many enterprises employees don’t fully disclose all the consumer apps and services they use on their devices, which they connect to the enterprise network. Studies show that companies without a formal BYOD policy already have employee-owned mobile devices tapping into the corporate network. Entire business units are “going rogue” by developing BYOD apps without informing IT, according to CIO, citing a healthcare provider’s IT department that thought it had three mobile apps in its consumer tech environment only to discover more than 60. The collective thinking among BYOD-empowered users appears to be: Ask for forgiveness, not permission.

Faced with a stark choice between compliance with IT mandates and freely accessible content, individual users are taking matters into their own hands. To maintain access to critical files using unsanctioned (for good reason) consumer-grade online tools, employees are either waiting until they reach home and are off the corporate network or they are simply bypassing the company network right from their offices using readily accessible MiFi hotspot connections.

Inevitably, the divide between BYOD-empowered users and IT puts business decision makers in a tight spot. How can they give employees the freedom to use the types of consumer-facing software and cloud services they want while giving IT peace of mind?

There is a better way: to make it safe for shadow IT users to come out. 

Combining What Consumers Love And IT Needs

Communication and collaboration between the two camps is key to bridging the divide between users and IT.

Information-technology departments should proactively try to obtain as much information as possible from users about the consumer apps and devices they prefer. What, exactly, do they like about their favorite software and apps and why did they choose them?

Employees want the ability to access their personal and corporate data across all their devices. They want the ease-of-use of consumer products and applications. On the other hand, IT requires the security and governance of the information. Can there be a balance?

IT should work to engender a feeling of trust among enterprise users, in order to get a complete picture of all the shadow consumer apps and devices they’re using in connection with their work. Ultimately, the IT department should fully understand that, in many cases, users have taken the time to choose and learn their favorite consumer apps and cloud services. Getting the to willingly switch from the apps they’re passionate about to enterprise-endorsed alternatives may require both education and persuasion.

At the same time, users need to better understand from IT the challenges to the enterprise, such as security risks, that can result from consumer apps and technologies.  Users should be aware of how security risks from BYOD and “shadow IT” can impact the organization as well as their own departments.

According to a recent survey by analyst firm ESG, 70% of IT respondents said they knew or suspected that users were using consumer tools against corporate policy. This means that every day that goes by, more company files are being put in the public cloud, out of IT control.

Some enterprises appoint a user committee, which is tasked with communicating to and working with designated IT staff members on behalf of other users.  This can go a long way toward making an enterprise’s BYOD and consumer app-use policy palatable to both sides. And if your enterprise doesn’t have a BYOD policy yet, now is the time to develop one.

For example, in recent years, consumers have gravitated toward cloud-based file sharing and syncing services. These offerings enable consumers to sync important documents across multiple computers, such as their home and business computers; access documents from their mobile devices; and share folders with others for easy collaboration. Many of these services have gained popularity among consumers by offering a free 2GB plan. File sharing and syncing services offer many obvious enterprise benefits as well. But the majority of the consumer services aren’t built with enterprise security in mind, putting organizations at risk.

When investigating cloud-based file sharing/syncing services, to satisfy your IT department, you should look for security settings that allow IT to restrict and control file and folder sharing outside the enterprise. Other important features include the abilities to restrict specific devices from connecting to the service; restrict access to the cloud service’s website from unauthorized computers; enforce data retention policies and remote-wiping of shared folders; require all actions to be authorized and validated against your security policies; and the option to offer two-factor authentication. And to satisfy your employees, look for all of those features in a user-friendly package with the same ease of use as the programs they rely on outside of the office. Whenever possible, look for file sharing/syncing services from established vendors that can be integrated with their other enterprise offerings, such as storage, or your own software services through integration APIs.

In short: When you choose enterprise-level products and services that appeal to consumers, it’s a win-win for IT and users alike. Both groups become more productive and efficient in their work. That’s good for users, good for IT—and great for your business.