We all love our gadgets, but some of our favorite devices, however innocent they may appear, are poised to overwhelm IT departments worldwide.
Like it or not, the “bring your own device,” or BYOD, trend is now a permanent fixture among businesses big and small. Sure, some companies still prohibit employees from integrating personal laptops, tablets, and smartphones into their IT infrastructures, but their numbers are quickly dwindling. BYOD is a matter of “when” not “if,” so businesses and IT admins must understand the risks involved and determine the most effective and secure ways to embrace all these alien gadgets.
When Paul Proctor, vice president and security analyst for Gartner, moderated a panel discussion on BYOD at the RSA Security conference in San Francisco this week, he classified four different approaches to BYOD: containerization, embrace, block, and ignore.
“Containerization” allows for BYOD but carves out a separate space for business-related data and communications. Meanwhile, companies that “embrace” BYOD have a no-holds-barred, bring-it-on ethos when it comes to hardware and security management. “Block” characterizes companies that actively ban BYOD, while “ignore” describes organizations that pretend the issue doesn’t exist.
Proctor also shared Gartner research that crystallizes just how widespread BYOD has become. According to Gartner’s numbers, 47 percent of today’s businesses use containerization, 30 percent embrace BYOD, 15 percent block it, and 8 percent ignore it. But what’s more interesting are Gartner’s projections for how the next three years will shape up: The embrace model will double to 60 percent, containerization will drop to around 38 percent, block will plummet to below 3 percent, and ignore will completely cease being an option.
Richard Stiennon, security analyst for IT-Harvest, puts it more bluntly. “Resistance is futile,” he says. “IT departments have always resisted consumer-driven change. Email, Web browsing, and Wi-Fi are all innovations that were initially blocked. Every organization should embrace BYOD. It's the future.”
Let’s take a look at those Gartner projections again. Less than 3 percent of all businesses will block BYOD outright, and these organizations will probably be in highly regulated, security-conscious segments such as government and banking. Meanwhile, ignoring BYOD will go away forever—a wise response to a trend that poses significant security problems. The upshot is that if you have any stake in the hardware or networking infrastructures in your business, now is a good time to consider BYOD risks and benefits, and to develop a plan for managing BYOD at your company.
The tricky part is that there’s no single correct response to BYOD. There’s no silver-bullet platform or application that just makes BYOD work. For many businesses, there isn’t even a single BYOD approach that they can apply companywide. Different roles and individuals may present different levels of risk, and may require you to apply and manage BYOD differently.
With this in mind, here are four essential matters to consider when you're navigating the ever-swirling BYOD waters.
1. Weigh your options
BYOD is emerging as a valuable and effective tool for attracting and retaining talent. Younger staffers simply expect to use their own smartphones and tablets to get work done. That said, embracing BYOD doesn’t have to mean allowing a free-for-all.
Rob Enderle, principal analyst for the Enderle Group, explains: “Extremely unsecure platforms should likely still be avoided until and unless they can be effectively locked down. IT should still ensure that devices are protected through policy, and that corporate information is segregated from personal information, and is protected, and [that] its use is managed by policy.”
As for the definition of “unsecure platforms,” we can look straight to Android for some of the bigger security risks in the BYOD revolution, but unpatched Java and Flash installations are responsible for security breaches as well.
To some extent, defining or limiting which hardware platforms employees use goes against the basic tenets of BYOD. To wit: Saying that employees can bring their own devices as long as they're Windows Phones isn’t all that different from saying that employees must use company-issued Windows Phones. Still, you have to examine the risks involved with different platforms, and understand how much control the organization will (or won’t) have to protect company data and communications. Some devices simply won’t make the cut.
Next page: Set the rules of BYOD engagement...