Mobile network Sprint has dropped its hat into the long-running BYOD conversation with an on-topic whitepaper. The conversation is gaining more traction at industry conferences and events, as more companies address the reality of employees bringing their own devices to work.
One of the most pressing potential implications for this "BYOD revolution" is data security. Without a concerted effort towards managing this trend, companies leave themselves open to device-based data theft.
Lost devices and unsecured networks are two areas where potential thieves could engage and remove sensitive information. The simple ability for a snatch-and-run also leaves an easy target for thieves seeking access to specific networks.
Sprint - which has a vested interest in ensuring that companies learn how to manage the BYOD trend - has offered up 10 key steps to addressed employees that want to bring their own devices.
Gaining buy in, especially related to new technologies, is one of the most difficult and delicate processes for organizations of all sizes. Not everyone has the same needs or understanding of technology, and yet nearly everyone has devices for both business and personal use.
The following approach, while clearly a brand push for Sprint, is a measured, intelligent and thoughtful roadmap for any tech/IT manager looking to bake BYOD into any company.
The perscribed steps to delivering a successful BYOD program are as follows:
Talk to everyone. In order to understand what different stakeholders want in a BYOD policy, talk to them.
Not every employee, department, or sub-group will have the same needs and interests. Some might have specific use cases that are not shared by others, and there will be gaps in coverage if these different uses are not addressed. These gaps will cause non-compliance, thus negating the point of an enforceable policy to begin with.
Choose your devices. BYOD doesn't have to mean all devices.
There must be an approved device list - which is tied to reasoning for selection or non-selection of each device. Being able to support the devices is essential, because there might be a disconnect if an IT department doesn't know a particular device.
Security is essential. The main driver behind a cohesive, company-sanctioned BYOD policy is device, data and network security.
By creating an approved device list, a company can then learn how to protect the device, its data, and any network access from unauthorized parties. This is absolutely essential - and if not addressed, leaves gaping holes for malicious attackers to gain system access.
Even vanilla permissions don't necessarily protect a network, as a smart hacker can move beyond a user's permissions once gaining access to the broader internal network. Mobile Device Management is essential here, as this allows remote access to devices - for example, to deploy a remote wipe in the case of theft.
Go cloud. Sprint rightly points out that the cloud offers enhanced security, as the data is not store locally and a password can be swiftly changed in case of compromise.
Of course, this then centralizes a massive amount of information on servers elsewhere, opening up a new - and far more lucrative - target for unauthorized access. Take this with a grain of salt and understand that the cloud does make device and data management easier, but not without its own issues.
Be flexible. This allows everyone to feel engaged and able to own the program.
Talk to everyone again. After going through these steps, and educating employees on the policy in development, it's important to listen again to stakeholders to ensure the policy is on point. Again, a bad policy will simply breed non-compliance and will be a waste of time.
Make contracts. This is an often overlooked step, which makes each user sign up to the program. This allows for a learning moment, as each employee must understand and sign an agreement related to the BYOD program.
Soft rollout. Test the program in stages with larger and larger groups, so the policy can be analyzed.
Always evolving. Just like consumer tech, approach the policy annually to be sure it still meets the needs of both employees and company.
Account for attrition. Finally, be sure to have a policy for when an employee leaves. What happens to any user data stored on the phone? What about network access? Passwords? All of these items must be accounted for and not overlooked at the end of an employee's tenure.
Read the full report here.
NB: Device confusion image courtesy Shutterstock.