BYOD: Easing the Trepidation
May 25, 2012
Are you ready to tell your employees to "bring your own device" to work?
Consider the experience of Stadion Money Management, a $5.4 billion asset manager which implemented its own policy roughly 10-months ago.
Roughly 55 of Stadion's 65 employees now access emails, edit documents and otherwise do work from their own mobile devices. Almost none of its sales people have laptops. The firm, in fact, plans to eventually eliminate conventional office desktop computers. Instead, employees will access a "virtual desktop" that looks the same and has all the same capabilities, accessible from any device, anywhere.
Michael Chlan, who serves as both Stadion's chief technology and chief operating officer, says the policy has led to nearly a 50% reduction in support costs for employees who travel extensively.
"It costs far less to support mobile devices or even multiple mobile devices than laptops," he says. "It has been a big win for us."
The movement toward allowing employees to bring their own devices to work, instead of assigning them company-purchased hardware, is booming. According to a May survey conducted by Cisco Systems Inc. of 600 information technology and business executives, 95% of the respondents said their firms have implemented a BYOD policy in some form. Further, 84% of the respondents said they provide support of some kind for employee-owned devices. For example, Stadion reimburses part of the data usage charges.
"Within the financial services industry, there is a tremendous amount of interest in BYOD," says Sam Ganga, executive vice president of IT strategy firm DMI Enterprise Solutions.
The key, experts say, is developing policies, and utilizing technology that adequately manage risks like keeping company, customer and transaction information safe and secure.
"At the back of all this interest in BYOD there is also a little trepidation," says Ganga. "Companies aren't really sure what this trend means in terms of risk management, and all of our discussions with companies on this have been about risk management."
A good B.Y.O.D. strategy needs to address a wide variety of risks. Steve Durbin, global vice president of the Information Security Forum, breaks them down into four areas:
Governance: With no control over consumer devices, there is little visibility of usage, ownership and adherence to policies or compliance.
Users: With no control over working practices, users combine work and personal tasks and data, and work in unsuitable locations, risking loss and theft. Users can disable security features or inappropriately copy data.
Devices: Left unprotected and unmanaged, consumer devices are exposed to information security threats, including malware.
Applications and Data: In many cases the provenance of apps is unknown, and they are unlikely to have undergone formal development and testing.
Consequently, a good BYOD policy has many moving parts. Ganga says there must be a legal element, a human resource element as well as a solid technical/data security policy. These can include usage policies, employee agreements and in-depth analyses of which technologies best fit a company's security needs. For example, Ganga said that "we think HTML [HyperText Markup Language] 5 is going to be a winner here."
"To protect data, from a policy perspective, you have to delve into a level of detail that you never would have imagined necessary," he says.
The legal issues alone can be daunting, Ganga says. A key element of any mobile security policy is something called a "poison pill," in which all of the device's data in is wiped should it be lost. Employees must agree to this.
Privacy is another issue, especially overseas. The European Union, and Germany in particular, have stringent personal data regulations.
Moreover, policies need to keep pace with tech advances.
"Mobile policies need to be revisited and revised with the adjunct that they be reviewed every year at a minimum given the pace of technological change in the market," says Douglas Louie, senior director, Product Marketing - Enterprise at Smith Micro Software. "Obviously, mobile policies written five years ago during the Blackberry [enterprise server] reign will not suffice in today's world."
These challenges weren't lost on Chlan and his Stadion team with their policy. All mobile devices need data encryption capabilities, require at least a password for authentication, and be subject to the "remote wipe" application.
"We really needed to understand the security implications- that was number one," says Chlan. "If it isn't secure, we are not going to touch it."
His team developed Stadion's current in-house access application by working with one of the latest versions of Microsoft Exchange. Previously, they used a vendor system that allowed access to e-mails and documents, but not editting. Before that, they used Blackberry devices.
Some firms like Fidelity Investments are comfortable with vendor data security systems. According to a spokesperson, Fidelity uses a third-party application that puts all company data and applications in a "sandbox" separating that content and activity from personal material. The "sandbox" provides access to corporate email, calendar and contacts on devices ranging from iOS to Android.
This leads to another critical issue, according to DMI's Ganga: user experience. Employees have high standards for convenience and usability. To promote widespread acceptance, tech staff have to pass this test.
"The intersection of user experience and security is now the rule of the marketplace," he says. "If I have to reboot my machine every time I move from my corporate environment to another environment, that is unacceptable."
However, technology executives say the rewards justify the headaches, and it's more than just savings in support or equipment purchasing. According to Louie at Smith Micro, for "traders and investment account managers, the ability to move around and not be shackled to a desktop has been a game changer."
"It's about access to information and data," he says.