What does the Bring Your Own Device (BYOD) trend in IT mean in terms of new security considerations for the typical enterprise? And what should the Business Decision Maker (BDM) be doing about it?
In summary: embrace BYOD, enable your business, and allow your employees to be more productive anywhere and from any device. But don’t forget to do your risk management homework.
BYOD Security and the Enterprise
Never before has the proverbial information worker had so much computing power – smartphone or tablet – always on hand. And never before has it been as easy for IT to support the business with ready access to the data and tools necessary to enable new revenue sources and faster decision making. The decision to embrace BYOD is an easy one: employees, partners, and vendors are likely already using their own computing devices to communicate and collaborate. The question is, what can be done to establish and enforce practical data security policies for a fast-changing, heterogeneous computing environment?
Here’s a typical BYOD security cautionary tale: Widgets Co stores its documents on SharePoint and recently migrated to Office 365. The migration has been a boon to the Widgets business teams: they have more control over the look and feel of their team SharePoint pages, they can support a variety of client devices, and allow remote employees, frequent travelers, and vendors to collaborate. Plus, outsourcing is saving time and money for the in-house IT team, allowing them to focus on more strategic efforts such as enabling new LOB scenarios.
Recently, though, a senior executive, distracted after leaving a meeting in a foreign city regarding a potential merger between Widgets and Acme, left his tablet in the back of a taxi. Since he’s not sure what documents had been downloaded, or when, it’s tough to assess the potential impact of the unauthorized data disclosure if the device falls into the wrong hands. Either way, the timing of the loss couldn’t be worse: if Acme, its competitors, or even members of the foreign government were to learn details about Widget’s internal discussions about the proposed merger, it could put Widgets in a bad place, and likely result in the termination of the executives leading the effort.
What can the BDM do to avoid this scenario? Read on.
Next Steps for the Business Decision Maker
The first recommendation may come as a surprise, but this is the real opportunity for the decision maker: don’t miss out on the opportunity to enable “anywhere” data access. Wherever your employees happen to be, and whatever device they happen to be using, consider how to let them be most productive. That doesn’t mean throw the barn doors wide open to your most sensitive corporate assets. Instead, it means make a reasonable plan for taking advantage of the latest collaborative tools, cloud services, and the security controls they provide. If you don’t, your competitors will be moving more quickly than you to enable faster decision making, new lines of business, and even attracting better and brighter employees who thrive in a more dynamic environment. First and foremost, the focus of the BDM must be on enabling the business.
The second recommendation brings us back to the planning part, and is where risk mitigation comes into play: with the business goals in mind, work with your CIO, CISO, and IT team to establish data security policies to enable them. Make sure the basics are being covered: user authentication, authorization, auditing, and data encryption. In other words, who should have access, and to what? How are those rules being verified? And how can we protect sensitive data – whether in the cloud, on-premise, on the move, or in the back of a taxi – and still foster a competitive, collaborative environment that keeps us ahead of the competition?
The most competitive businesses are constantly looking for ways to gain new advantage from their existing IT investments. Look to IT security to be a business enabler. The latest enterprise software tools and cloud services enable more sophisticated security controls than any previous technology generation – use them!
Bring Your Own Device Security: A Happy Ending
Returning to the example of Widgets Co, suppose data loss prevention policies are established across all IT applications:
- Data is encrypted at rest and in transit
- All mobile devices require password/PIN unlock
With those policies enforced, the lost tablet of the senior executive is a non-issue, the strategic merger between Widgets and Acme stays on course, employees stay productive, and the business prospers!