The shift to BYOD

BYOD: Bring your own device (BYOD) refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access privileged company information and applications – Wikipedia, 2013

Recent statistics indicate that:

• “38% of companies expect to stop providing devices to staff by 2016” – Gartner, 2013
• “75% of employees in high growth markets such as Brazil and Russia and 44% in developed markets are already using their own devices at work” – Logicalis, 2013
• “44% of job seekers view an organization more positively if it supports their device” – Information Week, 2013

It’s been happening for years however around 2012 there came a turning point. Essentially, people realized how much more they could do on their personal devices than on their work devices. In most cases this was no fault of technology, but rather a result of the strict IT blocks, rules and restrictions that were put in place to protect data and to block porn (among other things).

Many IT administrators in various organizations have held firm in their beliefs and refused to adapt to the changing landscape by enforcing even stricter controls (e..g blocking social media sites, not allowing SMS, etc…). I get why they do this. They often see their job in a linear fashion with core responsibilities of protecting data, minimizing risk and keeping the IT/IS systems running. So why take any risk at all?

Well the unforeseen problem that this sort of thinking has led to is that IT went from having 100% control to 0% control of employee devices. Therefore as a result of the blocking, the risk to the organization has actually increased.

A US based survey by Opinion Matters of 1000 corporate office workers found that:

• “half of users reported they still have no passcode on their mobile device”
• “nearly a third of users report using a single password for all digital access”
• “47% of respondents reported their IT department has not discussed mobile/cyber security awareness best practices with them”
• “95.6% of survey respondents acknowledged that they used open, public Wi-Fi connections at least once a week to carry out work-related tasks such as sending and receiving email, reviewing and editing documents and accessing company servers”.

Now don’t get me wrong here, I’m a huge advocate of BYOD and I think that it’s absolutely the right direction to go in as an organization. My issue is that often organizations simply pretend it’s not happening as is evident by the lack of policies and education surrounding BYOD.

I think this is a tremendous opportunity for IT professionals to take a leadership role again in their organizations and offer educational sessions to staff. A potential training session outline could be as follows:

Technological risks of digital engagement on your own device and how to mitigate them

The purpose of this training would be to make employees aware of the technological risks associated with digital engagement and the latest malicious techniques being used by hackers such as:

• Use of social networking sites to enumerate users
• Taking information learned and using it for social engineering schemes such as targeted phishing messages
• Getting unsuspected users to install 3rd party fraudulent applications which provide access to user profiles
• Using compromised accounts of your colleagues and/or friends
• Impersonation

Additionally advice would be provided on:

• Procedures in case of device loss or theft
• Secure password protection tips
• Data ownership

Keep in mind that this sort of training would be primarily about the “technological” risks as opposed to all the broader “human” communication and reputation risks, which should be addressed in a stand-alone social media policy and corresponding training.

I’d be curious to hear who’s already bringing their own device to work. Please take a second to add your response to the poll below regardless of the sector (private , public or non-profit) that you work in.

Cheers,

MK