Implementing a BYOD Strategy: 10 Mistakes to Avoid

 
 
By Chris Preimesberger  |  Posted 2013-07-08 Email Print this article Print
 
 
 
 
 
 
 
 

A bring-your-own-device (BYOD) strategy is an approach that allows employees, business partners and others to use personally selected and purchased client devices to execute enterprise applications and access data. It typically spans smartphones and tablets, but the strategy may also be used for PCs, including netbooks, notebooks or other portable connected devices. "BYOD strategies are the most radical change to the economics and the culture of client computing in business in decades," said David Willis, vice president and distinguished analyst at Gartner. "The benefits of BYOD include creating new mobile workforce opportunities, increasing employee satisfaction, and reducing or avoiding costs." However, like anything else disruptive in business, there are many pitfalls if an enterprise—no matter what size—doesn't plan its BYOD strategy accordingly. For example, one of the major issues is that most mobile devices are designed to share data in the cloud and have no general-purpose file system for applications to share, increasing the potential for data to be easily duplicated between applications and moved between applications and the cloud. Here are 10 mistakes to avoid when implementing a BYOD strategy. Resources for this eWEEK slide show include Pankaj Gupta, president and CEO of telecom and mobile management provider Amtel, Gartner Research and eWEEK reporting.

 
 
 
  • Implementing a BYOD Strategy: 10 Mistakes to Avoid

    by Chris Preimesberger
    1 - Implementing a BYOD Strategy: 10 Mistakes to Avoid
  • Relying on Public App Stores

    While Apple's App Store and Google Play provide easy distribution for public apps, you need a private enterprise app store for delivering all of the enterprise content securely—whether it is internally developed custom apps, purchased apps from ISVs, or mobile apps for access to cloud-based services such as Salesforce.com or Box. The enterprise app store presents a private mobile apps catalog that employees can use to download and refresh enterprise mobile apps. Publishing apps to your enterprise app store would allow you to containerize corporate data without disclosure to a third party such as Apple or Google, and without cumbersome approval processes.
    2 - Relying on Public App Stores
  • Rigid Policy on Public Apps

    To gain control over public apps used by employees, organizations sometimes publish a "whitelist" catalog of approved market apps and preclude all other public apps. However, this approach won't work for BYOD, since these are personal devices. You need a more flexible, less-restrictive policy that views a whitelist only as the catalog of recommended apps and won't automatically block all other public apps.
    3 - Rigid Policy on Public Apps
  • Blacklist: One Size Fits All

    Organizations should blacklist and block malicious or rogue apps and malware and take immediate action to close security holes. In a BYOD environment, you'll find many apps that may add risks or decrease employee productivity. Such apps may include cloud storage apps that may cause data leakage; social media or games that waste time or bandwidth; and apps that display offensive content in violation of corporate policy. It's a mistake to use a heavy-handed one-size-fits-all policy and apply the same action to all these different categories of apps. Define actions for specific blacklisted app categories or apps and take a flexible approach that fits with the corporate culture for compliance management in a BYOD environment.
    4 - Blacklist: One Size Fits All
  • Big Brother Stigma on Location Tracking

    Since BYOD devices are used for both personal and business purposes, some companies are reluctant to use any kind of location tracking on such devices, in deference to employee privacy. However, organizations have every right to restrict the use of such devices within time and location boundaries. Location tracking can be enabled automatically at work locations or upon access to corporate networks. And "geo-fencing" restrictions on apps may be appropriate. For example, blocking apps such as Facebook at the work location but not elsewhere helps increase productivity while providing flexibility and promoting employee satisfaction.
    5 - Big Brother Stigma on Location Tracking
  • Insufficient Access Control

    Employees may use BYOD devices to run mobile apps to access enterprise data over the network, posing risks of data loss, data corruption or unintended disclosure of sensitive information. Lack of additional mobile access precautions for security and access control policies and mechanisms in such an environment can increase risks of data breach or loss. The starting point of securing enterprise resources rests in user authentication, authorization and access control. In some cases, app security warrants encryption of all data traffic and even wrapping apps with an additional authentication layer. Do you have such precautions in place?
    6 - Insufficient Access Control
  • Not Banning Rogue Devices

    If you're going to allow BYOD devices to access corporate data, you're going to have to put some standards in place. You don't have to go back to the old BlackBerry-only days, but surely you cannot allow jail-broken iPhones and rooted Android devices to access enterprise data resources and expose the organization to malware and virus attacks. Standard configuration settings need to be enforced. To simplify this, you may need to restrict the types of devices supported by the BYOD program, so that you don't end up spinning your wheels trying to support an arcane semi-smart phone. You'll want to make sure that mandatory apps are installed and will persist even when removed by a rogue user or by a user mistake.
    7 - Not Banning Rogue Devices
  • Ineffective Policy Compliance

    Enterprises put policies in place for a reason: to ensure security, protect resources, reduce risks and control expenses. Are your policies sufficient to do this? Can you detect and stop misuse, respond to violations and compliance issues, and quickly remediate? Without continuous monitoring, following up on exceptions and alerts, and automated or manual remediation actions, policy compliance can't be achieved. Are dashboards being monitored? Are reports being generated and reviewed by appropriate personnel? Are alerts being heeded? Do you have exception handling, remediation, escalation and audit processes in place?
    8 - Ineffective Policy Compliance
  • Weak Security

    Basic authentication and password controls are in place, but is that enough? Are you managing passwords and enforcing policy? Have you defined user profiles with access rights and restrictions? Do you have processes in place for catching exceptions, alert mechanisms and remediation? Do you track where devices are, where they've been and where they are going at any point in time? Do you have the capability to lock and wipe content, apps and passwords on lost or stolen devices?
    9 - Weak Security
  • Fully Wiping BYOD Device

    When a corporate-liable device is lost or stolen, you can remotely locate and wipe the device. But to do so to a BYOD device without employee permission would be a mistake. So how do you protect corporate apps and data on such devices? By selectively wiping the device, erasing only the enterprise apps and data--the corporate contacts in Outlook and the Exchange email, for example--and leaving the personal information intact. This also comes in handy when an employee leaves the company and you need to remove apps and data from her BYOD device.
    10 - Fully Wiping BYOD Device
  • Not Tracking Usage

    Are you tracking how much talk, text, data and roaming usage is occurring for both corporate-liable and BYOD devices? Usage monitoring, threshold-based alerts and analytics can help uncover misuse and security exposures and prevent cost overruns due to excessive data bandwidth usage, unexpected international roaming charges and so on. After policy threshold levels are set up, you can alert users upon exceptions. You can set up policies to enable users to remediate and change plans automatically when warranted to save money on data plan and roaming overages. Through usage monitoring, you can also ensure that you are not paying BYOD stipends on "zombie" phones that show zero usage.
    11 - Not Tracking Usage
 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
Rocket Fuel