We're starting to see many organisations choosing not to leap directly to Bring Your Own Device strategies and instead choosing the more cautious approach of Choose Your Own Device, where users select their chosen device from a range of approved products that are able to connect to the company's infrastructure, run the appropriate anti-virus software etc. Because the devices are corporately-owned and controlled by the IT department, it's not a huge change from traditional ways of IT management. Supporting a wider range of end-point devices will increase IT costs but could increase business efficiency by allowing the organisation to adopt new form factors and mobility options.
BYOD is a little more complex.
Businesses looking at bringing in a BYOD strategy need to consider three main layers in order to make it work:
Setting up this type of environment involves substantial costs and so may not be suitable for every business. However these costs could be balanced by savings if, for example, your business has high numbers of contracting staff who could be asked to use their own IT equipment. IT costs may also be reduced with BYOD policies requiring employees to take responsibility for their devices.
The benefits of creating an infrastructure that is built for BYOD architectures lie mainly in the ability of the business to introduce new technologies more readily and to provide greater flexibility and choice to the work force, enabling employees to select and use the solutions that best suit them without substantial IT support cost increases.
The biggest risk BYOD poses to businesses is, of course, security. If you're going to have a free flow of devices connecting to your network, you need to ensure your information is protected. We'll see data rights management software coming much more to the fore as the BYOD/CYOD trend continues.
Implementing software controls is essential when allowing corporate data to be downloaded on to personal devices not directly owned by the organisation. For Mobile Devices software such as Mobile Iron can work in conjunction with identity services solutions to enforce policies on BYOD devices, allowing certificates and policies to be applied once the owner of the device agrees to the corporate data protection policy.
If the device owner refuses to accept the security policy, then their access is curtailed. Once accepted, the security policy allows the organisation to enforce password controls, encryption and enables the IT management team to erase device settings and data in the event of theft.
It's also important to develop a watertight, legal policy in place that ensures employees using their own devices are aware of their responsibilities and liabilities. For example, the contract should be very clear about the responsibility of the employee to maintain and pay for their device if broken and to ensure that all software is kept up to date, patched and that virus protection is maintained at all times.
Tim Patrick-Smith, CIO Getronics UK