Patch me if you can: Cyberattack Series
The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
The era of IT departments mandating specific hardware, operating systems, or technologies is quickly eroding. In its place a new culture is growing where employees are granted more autonomy—and given more responsibility—for their own technology.
If you’ve been to enough parties you’re probably familiar with the term BYOB—a common acronym of the phrase “bring your own beer”. Well, a similar acronym has emerged in recent years as one of the hottest buzzwords in technology: BYOD, or “bring your own device”. Let’s take a deeper look at BYOD, what it is, and the forces that are driving it.
Bring Your Own Definition
The first question to ask is simply, “what is BYOD?”
In a nutshell, BYOD is the idea of allowing employees to use their own laptops, smartphones, tablets, or other devices in a work environment. Instead of the IT department mandating specific hardware or technologies, users are free to use the platforms and gadgets they prefer.
BYOD vs. Consumerization of IT
BYOD is often confused with another trend—Consumerization of IT. Though related, these two topics really have a different pivot or focus. Consumerization refers to consumer technology that bridges over into the workplace – with the original product features and function being optimized towards consumer needs. Broadly, this means that IT departments must manage devices that were not optimized for enterprise management requirements.
BYOD is part of consumerization in that it involves using consumer technologies in a work setting, but the focus is on the employee using devices originally purchased for personal use. Because the devices are not employer purchased or owned, it raises significant questions about maintenance, as well as some tough policy questions concerning data and applications on the device.
Origins of BYOD
The popular perception is that the BYOD revolution was sparked by the advent of Apple’s iPhone. The iPhone, and subsequently the iPad, are certainly catalysts that have contributed to the accelerated adoption of BYOD policies in many organizations, but the concept of users wanting to choose their own devices, or use their own personal PCs to get work done predates these devices – it is just that recently, these percentage of these types of devices in use has grown significantly. Corporate philosophy has had much to do with driving BYOD as well.
Companies’ IT support policies have been pushing employees to be more independent and autonomous for decades. For years, IT Pros have opted to upgrade sooner and self-manage to get the benefits of new versions of products. It is frustrating for employees to know that a given task can be accomplished faster or easier using a different Web browser, or operating system, or application, but being handicapped by “supported products” dictated by the IT department.
In the wake of those traditional policies, mobility entered the picture for information workers. Instead of being tethered to a desk sitting in a cubicle, workers increasingly getting work done remotely—from home offices, corner coffee shops, airports, and hotel rooms. Users outside of the office don’t have the same access to IT resources or support, and that has further fostered the need to be self-reliant.
Even in organizations where the IT department still mandates specific operating systems, hardware platforms, and mobile devices, rogue employees have worked around those requirements to get the job done. Nomadic employees embrace the concept of being independent and autonomous, and manifest it by sometimes ignoring company policy and choosing the tools that help them be more effective, and work more efficiently.
Pros and Cons
BYOD comes with distinct advantages, as well as unique drawbacks for both organizations and individuals. From the standpoint of the IT department, BYOD is generally seen as a cost-cutting measure because the burden of supplying the equipment is shifted to the employees. Some organizations subsidize BYOD policies with a per diem to offset the costs for users, but it still results in lower costs by relieving IT of its traditional role of maintenance and support.
Another advantage of BYOD is that individuals tend to upgrade and embrace new platforms and technologies much faster than businesses. The organization benefits from being able to take advantage of cutting edge tools and features without the pain of deploying a hardware refresh to the entire company.
From the user’s perspective, BYOD means using devices and applications that are more familiar, and which the user is more comfortable with. Being able to choose which hardware and platforms creates more satisfied and productive workers.
There are also some significant downsides to consider, though. The organization has to address the fact that rogue devices outside of the control of the IT department might connect with corporate data and network resources, and the users have to accept the fact that BYOD comes with some policies that may limit their freedom with their own device.
BYOD Risks
There are some hurdles that organizations need to cross in order to effectively implement BYOD. The risks associated with allowing users to bring their own computers or mobile devices into the work environment vary depending on geographic region, the industry the company works in, and even the specific job role within a company.
Businesses that operate in specific industries—like healthcare or finance—fall under strict regulatory compliance mandates. SOX, HIPAA, GLBA, PCI-DSS, and other compliance frameworks outline which data must be protected, and provide basic guidelines for how that data should be protected. The obligation to comply with these directives doesn’t change just because the data is moved from company-owned equipment to employee-owned devices in a BYOD situation.
There are frequently reports of sensitive customer or employee data being potentially compromised as a result of a laptop being taken from an unlocked car, or company data being compromised by an employee leaving a smartphone in a taxi. IT admins need to have BYOD policies in place to protect data no matter where it resides—even on devices that aren’t owned or managed by the company.
The challenges of BYOD are not necessarily a reason to ban the practice altogether, though. The trend has significant momentum, and there are a number of benefits for both companies and users. The trick is for both to understand the advantages, as well as the issues, and to employ BYOD in a way that works for everyone.
Join me for the next part of this BYOD series in a few days, when I dig into a deeper look at BYOD from the employee perspective.
Best regards, Jeff (@securityjones)