BYOD
Strategy and governance rather than uncontrolled proliferation
“Bring your own Device” only works without risk to the company if the use of private mobile devices for business purposes is clearly regulated and based on a comprehensive strategy.
Text: Urs Binder, Image: Strandperle,
Personal devices are part of everyday life for virtually all of us. What, then, is more natural than to use your own smartphone, tablet or laptop for business purposes as well – after all, you don’t always want to carry around two of the same device just to make business as well as private calls or to have access to company documents while travelling. And, as market researchers from MSM Research found out in a recent survey, mobility is one of the most important topics in ICT in Switzerland, as elsewhere.
Consequences for the entire company
“Bring your own Device” (BYOD) is often initiated by employees and presents various challenges for the whole company. Management, organisation and technology are equally called upon to prevent the uncontrolled proliferation of devices brought in by employees, which entails considerable security risks. With BYOD, companies are experiencing new working methods, and the culture is changing. This fact alone means that BYOD cannot be allowed to remain a simply technical issue; instead, it must be borne by management and embedded in the organisation right from the start.
Diverse aspects
The question of how the devices should be integrated into the company network always arises; however, this is only one of many issues. Without a strategy which is adapted to the company situation, and without clearly formulated rules, the expected advantages of BYOD – increased productivity and employee satisfaction, improved cooperation and, last but not least, cost saving by eliminating company devices – will not come into effect.
Specifically, BYOD affects several levels in the company:
- Technology: the technical integration of the devices and authentication of users must be ensured.
- Processes: processes such as onboarding of new devices or software development, operation and maintenance must be adapted or redefined.
- Security: data confidentiality must remain guaranteed even on personal devices. Confidentiality of company information must be ensured.
- Corporate culture: the question of who should or may use BYOD at all is central, since neither forcing people to use their own devices nor a general right to BYOD are advantageous.
- Legal aspects: legal requirements must be observed, and company policies must be clearly regulated – for example, whether the company or the employees are responsible for maintenance of the devices and software, or what happens when an employee leaves the company.
Technical requirements
One thing is clear: private and company usage must be separated on the mobile devices. This is because people are generally less careful about how they deal with private data, whereas business information requires greater security: it is often confidential and subject to certain legal framework conditions. It usually requires data storage in Switzerland – and not, for example, storage in Dropbox or another cloud solution whose server is located outside Switzerland.
Two separate approaches are pursued to ensure this separation. Either the devices are looked after by a Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solution. A strictly separated area for business use is installed on the device. Exchange of data between the private and business areas is prevented. But even if MDM and EMM present adequate security, business data are still located on a device which can potentially be hacked.
The second approach involves a sophisticated onboarding process for new devices. The users are supported by a digital assistant which secures compliance with password and other governance directives, as well as the configuration of the device. Separation between private and business use is guaranteed by a virtual workplace: business applications and business data are only accessible via access to this virtual desktop, which is secured by strong authentication. All the data are kept in the cloud and are available independently of time or place. If possible, no business data are stored locally on the device.
Security and governance at the centre
For the purposes of BYOD, security has two meanings: firstly, the secure, encrypted access from personal devices to the company’s network, supported by strong authentication and a suitably adapted ICT security strategy.
Secondly, the security of the data: only authorised persons are allowed access. In order to ensure this, the company has to know which data are there in the first place. On this basis, the data can be classified according to their confidentiality. Depending on classification, the employees then require different strengths of authentication – for non-confidential, general information, for example, a user ID and password are sufficient, whereas documents including customer data have to be secured with at least one further authentication factor.
At the same time, it is indispensable to sensitise employees continually about security aspects with training and tests – as well as technological aspects, they need to know where it is permissible to work with confidential information and where it is not.
Comprehensive security is, for instance, essential for legal reasons. According to Article 7 of the current Swiss Data Protection Act, the employer must ensure data security by means of suitable technological and organisational measures.
BYOD in the company: 3 tips from experts
Classification
First, give careful consideration to the value that the different data represent to the company. Work out a concept for classification of information and documents.
Governance
Work out a clear, codified BYOD policy for employees.
Strategy before implementation
You should only create the technical requirements after it is clear how your company will regulate BYOD.
Newsletter
Would you like to regularly receive interesting articles and whitepapers on current ICT topics?
More on the topic
