The CTO & CIO's guide to 2021 BYOD Strategy
With the recent events of 2020, the BYOD (Bring your own device) model has grown exponentially more popular as a way for employers to provide work at home. In this blog, we will be going through some advantages of BYOD, the steps a CTO/CIO must take when planning out their BYOD deployment, and the risks associated with traditional BYOD.
Due to the events of 2020 and its unprecedented effects on the workforce, there is an increasing expectation that employers will be able to provide remote working to their employees. As such, the fast and scalable nature of BYOD is extremely attractive.
That said, with such a widespread impact on corporate stakeholders that the pandemic had, Chief Technology Officers and IT Architects are under more scrutiny than ever when it comes to BYOD strategy, policy implementation, and security compliance.
In a nutshell, the primary benefits to committing to a larger BYOD scheme in 2021 are:
- Improve employee onboarding and exit process
- Easier scaling of a remote workforce
- Reduction in acquisition budget
- Employee familiarity
- Streamlining of communication channels
- Employees value freedom of choice
Key considerations for your specific business environment
Minimum Device Requirements
Strategically it is often the case that one of two issues arise with planning minimum device requirements:
- Minimum requirements are in place but not sufficiently clear to the workforce.
- Failure to focus on one or more critical areas needed to make the BYOD policy robust.
Any BYOD policy needs to be formulated with these potential blind spots in mind.
Often overlooked areas to focus on when defining minimum device requirements include:
- operating systems currently and historically used by the device and the support of those operating systems;
- specifics around the hardware being used (including flash drives and other ancillary remote storage), and;
- Device management solutions.
Device Follow Up Policy
Corporations with significant workforces make it very challenging to monitor ongoing device status. A thorough device follow-up policy is essential if the BYOD policy factors in stipends or other reimbursement costs.
Many companies offer stipends or other reimbursement plans to employees who use their own devices either in the workplace or remotely. In most cases, this is to offset employee costs associated with internet access and data plans.
CTOs developing BYOD strategy need to consider two main factors carefully:
- The costs of stipends and other reimbursement expenditure, both on an ongoing basis and year on year. CTOs and CIOs should state the frequency and limits of employee reimbursement.
- BYOD policies often include ‘staged’ or threshold reimbursement plans where employees are reimbursed after exceeding data thresholds. Companies operating BYOD should be able to monitor monthly and, if the business needs demand, daily exposure from employees close to data usage thresholds.
Many companies have become wary around allowing employees to choose their own passwords for devices. But there still seems to be a blindspot around renewing passwords, including (but not exclusively):
- How often passwords need to be reset.
- Who is responsible for choosing renewed passwords.
- How and where password information can be stored.
These considerations should also be factored into any BYOD policy.
BYOD: Security Risks
Against the above backdrop of BYOD policy specifics, there are more general risk management considerations that extend beyond BYOD but are also extremely important to BYOD policy best practices. These include:
Risk of Data Exposure
One of the major potential issues with any BYOD strategy is the risk that data could be leaked or exposed. There are many ways this can happen, ranging from occasional family’s or friends’ use of devices containing corporate data all the way through the device theft and even rogue employee actions. Any BYOD strategy needs to factor in all conceivable ways data could be leaked either unintentionally or deliberately, with appropriate risk management measures in each case.
Whilst secure servers (SSL) are becoming the standard across the internet; many websites are still lagging behind when it comes to secure servers. At the time of publication, just under 47 million websites in the US had SSL installed, which is nowhere near the many hundreds of millions of US websites.
Hardware and Software Vulnerabilities
Under BYOD, companies do not own employee used devices. This means that drivers, apps, or other software and hardware can be routinely out of date. This introduces various vulnerability risks that any BYOD device policy will need to define and manage.
Corporate and Personal Data Conflation
One of the more insidious risks for CTOs and CIOs when it comes to BYOD is the inevitable mix of corporate and personal data. Employees might save some sensitive data on their personal Google Drive in order to ‘work from home in the evening’. There is always a temptation to email oneself with documents for ease of reference. These and many other behavior traits can all lead to corporate risk when it comes to sensitive data.
Personal devices are often not backed up effectively. This opens up the risk of potentially significant data loss in the event of device failure or even the employee losing the device. This risk should be considered very carefully from a strategic perspective and appropriate risk management procedures put in place.
Effectiveness of IT infrastructure and Privacy Issues
In order for BYOD to work, company IT infrastructure is required which can access device data. In some cases, this can be perceived as an invasion of privacy by employees. When devising, reviewing, or implementing a BYOD strategy, care should be taken to ensure that all stakeholders - including employees - have sufficient buy-in to practically make the policy work.
Developing a BYOD strategy
With all of this in mind, what are the critical steps that CTOs and CIOs tend to follow when updating an existing, or deploying a new, BYOD solution?
1. Steering Group Selection
2. BYOD goals & Contemporary usage
3. Company Policy Landmarks
4. Company Risk Profile
5. Strategy Straw Man
6. Transition from Straw Man to Full Documents
7. Processes and Risk Management
8. Rollout, Feedback and Review
Secure Remote Worker: A BYOD Solution
Secure Remote Worker was developed as a Windows-based solution to address the concerns around BYOD security. It enables IT departments to ensure device and data security in any remote working environment.
During work, the employee launches Secure Remote Worker, creating a secure workspace environment managed centrally by IT, allowing access to corporate resources and services remotely - all within a PCI, HIPAA, and GDPR compliant device. Secure Remote Worker comes with built-in features that prevent malware, eliminates threats of data leakage, and enhances employee productivity.