BYOD or Bring Your Own Device, is a practice that challenges IT and Security Departments of enterprises globally. Ever since 2009 when BYOD was what the cool kids in Silicon Valley did, this stealthy revolution has been stalking businesses large and small. Whilst large companies see the potential and all the security pitfalls, for small companies BYOD can be the only way they can operate. When Layer 8, was at the conceptual stage, and before we had any real clients, we had no choice BUT to use our own devices for business purposes.
What I am I talking about? Bring Your Own Device (BYOD) is basically the concept of using your personal device (phone, tablet, etc) for work purposes, e.g. your emails, or company tweeting etc. For a long time, corporates have been able to segregate their IT by providing corporate phones and laptops. But now, we operate in a different world, one where the lines between our working day and our personal/social day are blurred adding new security vulnerabilities into our working lives.
So, why’s that a problem? If you can draw a distinct line between work and personal, then, you can segregate the data, impose rules and standards for company owned IT equipment. But can you do the same with a device if it doesn’t belong to the business? Perhaps the bigger question here is – can you stop employees using their own devices either at work, or for work-related purposes?
Two things businesses have grudgingly had to accept over the last decade are:
- Personal devices are being used in businesses, of any size, and
- if ignored they present a security risk to businesses, of any size.
OK, we’re through denial and we’ve realised we need some kind of strategy for personal devices, but what to do?
Option 1 – Go Traditional!
What do we do in situations like this? Start researching tech options, put a list of rules together, involve a few others in the IT department? Then bowl up to the board meeting introducing our BYOD strategy and ready-made Acceptable Use Policy.
Now it may be that the board is sympathetic to BYOD, having been persuaded that it drives up productivity, but they may be less enthusiastic about having to invest in the costly and complex process of securing personal mobile devices. They may be happy to see that something is being done and conclude that the IT strategy is the way forward.
Then rollout your policy to employees who have already worked out their own unofficial BYOD strategy and they like it better than what they see as top-down interference in something that’s working fine. After a bit of resistance, they pay lip-service to your AUP but work out ways around it, because IT – as usual – are just hampering productivity.
The crucial absence in this process is collaboration, ensuring that what is agreed at board level is adopted throughout the business. Oh, and with this approach, security gets sidelined as a ‘blocker’ by employees, rather than being discussed as an individual responsibility that comes with BYOD.
Option 2 – Try Something New!
If you skipped straight to Option 2, well done – you are way ahead of some! The Option 1 route is often favoured because it seems the quickest route to getting something done, e.g. tell people how it will be and impose it.
Although it might seem quicker to get the ball rolling and allow the problems and delays to come later, you’re just delaying the inevitable. Conversation sits at the heart of change, and that means acknowledging the need to collaborate.
Imagine a different scenario, one where you start not at the ‘top’ but with employees across the business. You explain some of the difficulties and challenges regarding the need to use personal devices to make business productive whilst maintaining the security of data available on and via those devices.
This collaborative process allows you to ask questions, find out what people use their devices for, what drives them to the personal rather than the corporate device. You are able to note who appears to be a good advocate, and recruit them as people who can help collaborate in the development of a coherent strategy and acceptable use policy for personal devices.
Imagine then going to that board meeting where people sitting round the table already know what’s coming because they, or their reports, have been involved in the creation. Every question about productivity and how it can affect processes can be answered, in fact you might choose to present alongside a few others from the business that have been part of creating your BYOD policy.
Join Layer 8 at 11AM on the 27th June where we will be discussing cases studies from organisations who have created BYOD policies that work. We will be joined by Kate Russell, Managing Director at Russell HR Consulting https://russellhrconsulting.co.uk/ , an expert in HR who names engagement and interaction as the missing link in cybersecurity, and more importantly reveals what we must do to connect that link!
Register and listen for free: https://layer8ltd.co.uk/webinars