IT INDUSTRY TRENDS NAVIGATE THE UNCHARTERED WATERS OF BYOD WITH A SECURE POLICY Any successful sailing trip must be carefully planned to avoid danger and ensure a safe return. The captain evaluates the ship s crew, equipment and timing, maximizing the strengths of each to develop a successful route to port. While at sea, the ship will also face variable, unpredictable factors like wind conditions and currents that require quick decisions to stay on course. An experienced captain anticipates the changing conditions, adjusts and adapts to new circumstances. In a business setting, organizations are faced with obstacles every day. Leaders leverage the skills of their employees, their strengths in the market and other differentiators to develop a strategy to keep their company profitable and successful. Along the way, they must respond to challenges from developing technologies, competitors, regulation and other external forces. Bring Your Own Device (BYOD), the practice of employees bringing their own mobile devices to the workplace in order to connect to the corporate network, is a more recent opportunity and threat to organizational operating rhythms. While the right BYOD strategy can offer benefits such as improved productivity and cost savings, it can also open the door for risks to corporate data security and protection. Navigating to the optimal approach will capitalize on these benefits while reducing the potential business risks of BYOD. TEKsystems surveyed more than 2,000 IT professionals and more than 1,500 IT leaders on the topic of BYOD. IT professionals provided specific insight from the employee s perspective, and the leaders who responded provided their insight from the employer s perspective. We asked each group to share their viewpoints on how important a BYOD policy is to their organization, the challenges most organizations face and the elements of an effective BYOD policy. TEKsystems.com 1
Wind of Change: The Impact of BYOD Increased adoption of mobile devices has led to heightened reliance on mobile technology. While the sole reason for owning a mobile device was once for personal use, the reliance on mobile has expanded to the workplace. More and more employees want to bring their devices to work, and IT leaders and professionals alike rely on personal phones, laptops and tablets for work activities. Employees like using their own devices and claim the familiarity and the portability of the device increases their productivity and can lead to increased retention. Employers also benefit, as they can achieve lower hardware costs by allowing employees to use personal, non corporate-owned devices. Yet, many organizations struggle to define the terms of such an arrangement. The process of synching a device to a server varies based on the user s device and operating system, and organizations must therefore define levels of support for various devices or platforms. Once the policy is set, the burden on the IT department often results in higher expenses as additional resources or training may be required to meet the added demand. Organizations must also determine who owns the data and how to retrieve it should the employee leave the company. Companies who forbid their employees to access data on their devices face additional challenges, as many employees will create an alternative solution, such as forwarding emails to personal devices or creating ad hoc applications to replicate the functionality of corporate programs. The trend of BYOD is not going away, and organizations should proactively plan for how not if it will affect their business. Percentage of time spent on personal devices for work-related activities mobile phone laptop tablet 89% 83% 82% 72% 58% 54% IT Leaders IT Professionals Staying Afloat: Guidelines for Creating an Effective BYOD Strategy Organizations must find a way to satisfy internal data security concerns and meet employee desires for increased flexibility. A successful BYOD policy will eliminate ambiguity, address user confusion and clearly define acceptable behavior. As organizations differ in user population, risk tolerance, workforce needs, type of data shared and culture, a one-size-fits-all policy can t address the needs of every organization. Instead, the best BYOD policy requires customization. Organizations should begin by analyzing what makes their employees most productive and enables them to succeed. Based on these insights, leadership can begin to establish specific parameters around acceptable behavior for their unique organization. TEKsystems.com 2
IT leaders and IT professionals agree that their organizations current BYOD policies: Provide greater employee access to company data Improve employee satisfaction through freedom of choice Increase efficiency and productivity At its core, an effective policy will guide employees on the protection of sensitive information and define the organization s role in supporting the policy. IT leaders and IT professionals agree that their organizations current BYOD policies provide greater employee access to company data through the use of personal devices, improve employee satisfaction through freedom of choice with device management, and increase efficiency and productivity. Approximately half of IT leaders and IT professionals (53 percent and 47 percent, respectively) cite their organization s policy is neither effective nor ineffective at providing responses to end-user questions or issues, suggesting there is room for improvement in the IT support function. Similarly, IT leaders and IT professionals report ambiguity around their organizations policy for covering the cost of their mobile devices, as 80 percent of leaders and 83 percent of professionals claim the end user pays for all or a portion of the expenses associated with their device. of IT professionals say they either haven t received communication on BYOD or there is no policy in place, and 29 percent of IT leaders report the same. Leadership also needs to periodically evaluate the policy for relevancy and effectiveness in addressing new security threats or device management issues. For example, a policy written to support the use of mobile devices may not fully address user questions around tablets. Navigating to Port: Key Components of a Successful BYOD Policy While a successful BYOD policy will address information security and enable productivity, the strongest policies will cover the following specific areas: Battening down the hatches: Protect the security of company data As soon as employees connect personal devices to their organization s network, they place company data at risk. IT often lacks insight into the security profile of personal devices and the safety measures implemented by the employee, such as password lock, will vary depending on the device and the employee s personal preferences. The repercussions to a lost or stolen personal device are severe: 38 percent of IT professionals believe more than half of their organizations sensitive data is at risk, and 20 percent think all company data could be compromised. 38% of IT professionals believe more than half of their organizations sensitive data is at risk, and 20 percent think all company data could be compromised. Once the policy is established, it must be promoted and enforced within the organization and revisited to ensure it continues to meet business goals. Forty percent TEKsystems.com 3
In order to protect company data, a BYOD policy must address the specific security needs of the organization. As a first line of defense, personal devices should be password-protected and include a timeout feature to prompt password entry after a set period of inactivity. Organizations should guard against malicious software programmed to disrupt operations, known as malware, by requiring anti-virus protection, limiting application download capabilities and pushing system scanning technology to user devices. Once users have passed these basic security requirements, some organizations may also need to enact advanced measures based on the nature of their company data. Organizations that allow their employees to access their customers personal information, such as social security numbers, should require data encryption measures to further protect sensitive information. As a fail-safe measure, IT should have the ability to remotely wipe data if a personal device becomes compromised. Nearly half (46 percent) of IT professionals and 33 percent of IT leaders report that their organization does not have remote wipe capabilities. Only 53% of IT leaders AND 50% of IT professionals feel their IT department supports a sufficient amount of different devices and platforms, limiting their mobile device s functionality at work and counteracting any productivity gains from BYOD practices. Clearing the decks: Limit unauthorized access to company data Maintaining security of end-user devices is an important component of any organization s BYOD policy, and highly regulated industries like healthcare and financial services require even greater attention to data security. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires certain policy controls to restrict data access, control access and data rights on applications, and conduct compliance reporting across mobile devices. Per the Dodd-Frank Act of 2010, financial companies must comply with Securities and Exchange Commission (SEC) requirements to retrieve and review employee communication records. Thirty-five percent of IT leaders and one-quarter of IT professionals claim their organization s policy does not adhere to government-mandated regulation, such as HIPAA or Dodd-Frank. Organizations must first identify any regulation that impacts their line of business and ensure their policy will comply with the requirements. Next, to further promote data security, IT should conduct an analysis of user access rights and set proper access to applications. Access levels should be periodically reviewed and audited to ensure ongoing compliance. Running aground: Alleviate pressures on IT support While granting employees permission to use personal devices can increase productivity and morale, opening up access will also place more pressure on IT. As more devices access company systems or platforms such as email, remote desktop and applications, more support issues will arise. Only 53 percent of IT leaders and 50 percent of IT professionals feel their IT department supports a sufficient amount of different devices and platforms, limiting their mobile device s functionality at work and counteracting any productivity gains from BYOD practices. The strain on IT is often more than just a personnel issue; the number and complexity of mobile devices in the market means that IT is challenged to support a variety of devices and operating systems in addition to managing existing corporate-owned hardware. TEKsystems.com 4
To reduce pressure on the IT department, organizations should assess the capabilities of their help desk and adjust device support accordingly, assume a greater role in device management through push technology and empower users to resolve device issues on their own. First, organizations can maximize help desk productivity by examining the skills and bandwidth in their IT departments and using this analysis to determine their level of device support. These decisions will depend on the capabilities and support currently Organizations lack visibility into their end-user activity. 37% of IT leaders 39% of IT professionals claim their site visits are not monitored offered by the help desk; a help desk already struggling to respond to user questions on email platforms will benefit from limiting the number or type of devices allowed, while a more advanced help desk may be able to support a wider variety of devices. Second, the very nature of a personal device limits IT s ability to connect remotely to that device to solve an issue or ensure compliance. In order to best exert control over device management, IT needs to be able to push updates through to personal devices on mandatory business applications. Push technology also decreases support time and increases control over the network, but only slightly more than half of IT departments have this capability today, as reported by 61 percent of IT leaders and 58 percent of IT professionals. Finally, organizations can enable users to perform self-help when possible, further reducing the number of support calls into the help desk. Self-service enablement giving employees ownership over enrolling their devices, adding new devices as well as completing any other general task without IT intervention will decrease the number of support requests, allowing IT to spend more time on the organization s complex support issues and other technology priorities. Dragging the anchor: Reduce network strain Employees who bring personal devices to work need to rely on the corporate wireless network to connect their devices. Most networks buckle under the pressure of these added devices, resulting in slower or disrupted connection speeds and increased security threats. While the network must support the increased traffic on corporate sites and applications, organizations should also understand that some users are relying on the network to access personal content which can include high-volume requests for video streaming or updating an operating system. Organizations lack visibility into their end-user activity, as 37 percent of IT leaders and 39 percent of IT professionals claim their site visits are not monitored. By gaining insight into the demands on the network, organizations can properly limit activity and ensure the network can respond appropriately. IT leaders and IT professionals report that nearly one-third of organizations (31 percent) currently don t restrict access to personal content or limit website visits, compromising their network s ability to handle their volume needs. An effective BYOD policy will determine how users can access the network, including which sites and applications are available on the corporate network. By placing parameters on the information available for download, organizations can reduce strain on and leverage the network for the transactions that need to occur. TEKsystems.com 5
Learning the ropes: Provide end-user education Finally, organizations should optimize their best weapon to ensuring BYOD success: their workforce. Most IT leaders and IT professionals claim to understand their organization s overall stance on BYOD, at 73 percent and 78 percent, respectively. But nearly one-quarter of IT leaders (22 percent) and 11 percent of IT professionals report that they don t understand the risks associated with BYOD, indicating that further education is needed. Only 36 percent of IT professionals claim that their organizations offered mandatory training on BYOD. An educated employee will be more inclined to follow the company policy and will take more responsibility for protecting company data. Organizations need to offer mandatory training, tailored to the needs and learning styles of their workforce, to teach employees how to protect sensitive data and understand the importance of security compliance. As the technology landscape is continually changing, training courses must also be updated and relevant, and employees should be required to take continuing education to stay knowledgeable on the latest changes to corporate policy. Only 36% of IT professionals claim that their organizations offered mandatory training on BYOD Arriving at Port: Conclusion The momentum of BYOD continues to penetrate the workplace. Like a sea captain and his crew, organizations and IT leadership can only take precautions that are within their control. Establishing a successful BYOD policy is critical for businesses to proactively rise to the challenge and embrace BYOD as an opportunity. Implement a policy that speaks to the unique needs of the business, culture, user population and data at risk. Consider the nature of company data users have access to and determine what parameters and user controls need to be in place to protect that data. It s important to also take into account the conditions of IT infrastructure and support. To reduce network strain and mitigate additional pressure on IT help desk support--two potential negative impacts stemming directly from BYOD organizations should take proper measures and setting expectations around usage. Ultimately, having a successful BYOD presence relies on the cooperation and partnership of organization decision-makers and employees. End-user education initiatives will ensure your BYOD strategy stays on course. TEKsystems 7437 Race Road, Hanover, MD 21076 888.835.7978 www.teksystems.com TEKsystems, Inc. is an Allegis Group, Inc. company. Certain names, products and services listed in the document are trademarks, register trademarks, or service marks of their respective companies. Copyright 2013 TEKsystems, Inc. All Rights Reserved.