Everyone is bringing their own devices to work. But is sensitive data being secured properly on our smartphones and tablets? Soon, new technology will be worn wherever we go. Is your enterprise preparing for WYOD?
Credit Flickr: Eivind Barstad Waaler (Creative Commons)
“Ready or not, here we come.”
And the “we” in this case is wearable devices coming into an enterprise near you.
That was one key message for attendees this past week at an all-day event entitled, Bring Your Own Device (BYOD): A Summit for Decision-Makers. The workshop held in Ann Arbor, Michigan, brought together public and private sector technology and security leaders, as well as experts from academia and a wide array of vendor sponsors, to discuss hot trends for employees who are bringing their own devices to work.
Greg Smith, Chief Information Officer at the Missouri University of Science and Technology, set the tone in his opening keynote, entitled, BYOD: We just need to keep up.
“BYOD is here now. It’s happening all around us…. It is the status quo – especially on university campuses….”
Greg emphasized that the real questions are around what is coming next, and the answer to that is Wear Your Own Device (WYOD). It will be huge and coming soon. We need to prepare.
Greg’s main points were around our urgent need to prepare infrastructure, security and mindsets for the new normal which is already trickling into our environments now – with a flood of new devices coming soon.
Greg Smith, CIO at the Missouri University of Science and Technology
There were numerous breakout sessions offering practical solutions to existing BYOD challenges. It was immediately clear to me that the market to securely support BYOD in enterprises has come a long way in the past few years. I urge readers to take a new look at available options to help secure existing government and private sector BYOD implementations or plan new deployments.
BYOD Is The New WiFi
My lunch keynote presentation addressed the topic: BYOD Is the New Wifi: How Can We Enable Mobile Data Security?
I started out by asking: "How many people purchased personal technology products over the past week (including Black Friday and Cyber Monday) that they intend to bring into work in some form?"
(Not surprisingly, almost half the hands went up.)
Pressing further, I asked how many had a formal BYOD policy that allowed them to do that, and many of those hands dropped. The reality became clear that even leadership staff are often doing what they think is best, regardless of corporate policy. BYOD is, in fact, happening almost everywhere.
I listed seven key questions to ask about your current enterprise environment regarding mobility:
1) Who is really using mobile technology? (Don't just include staff who are formally authorized.)
2) How are they truly using mobile devices? (Include both company and personally-owned equipment in your fact-finding mission.)
3) What data is being accessed on what devices? (Personal and company)
4) What policies are in place, and are they being followed?
5) What controls and protections are in place for sensitive data?
6) What helpful, relevant, engaging training is provided (and taken)?
7) What’s coming next? Are you prepared for next-generation people, process & technology?
Dan Lohrmann, lunch keynote on BYOD, photo by Tiziana Galeazzi
I proceeded to explain that the history of WiFi (and later cloud computing) is very similar to the current debates regarding BYOD. Will we learn from the past or not? You can find out more about my point of view on this BYOD topic at this CSO Magazine blog post from 2013.
While I won’t repeat all the details from my 45-minute talk here, an outline of the key solutions included:
- Develop, and enforce, strong use policies.
- Require strong password controls.
- Clearly define user responsibilities.
- Explain user risks up-front.
- Establish remote-wipe capability.
- Classify your data, and know where it is.
- Track your assets.
- Implement Mobile Device Management (MDM) to enforce policies and dual personas on personal devices.
While these items may seem rather basic, they are very hard to do effectively. They also tend to be the areas that get enterprises in trouble with BYOD.
Examples Please - Not so fast…
I wanted to provide you with some of the details from one of the breakout sessions, where the State of Michigan (SOM) described their BYOD program using IBM’s MaaS 360 MDM product.
Here’s the session description for BYOD a la SOM, featuring Tiziana Galeazzi, Office of the Director and State CIO, from the Department of Technology, Management & Budget (DTMB) and Paul Groll, Office of the CTO, DTMB.
Tiziana Galeazzi describes BYOD benefits
The DTMB BYOD program described was:
• Successfully launched October 1, 2014
• Open to all State Agencies
o DTMB - first agency to pilot
o Smart Phones and IPads were alowed
o MDM + security container were included
o Policy and Use Agreement signed by all participants
o Taxable Reimbursement provided
o Feedback on user experience was 100% positive
Some special BYOD program considerations included:
• Communicating the advantages of implementing a BYOD strategy
1. Cost savings
2. Workforce strategy (employee satisfaction, attractive workplace, productivity gains)
• Self-Service (internal app store)
• Opt-in with incentives
• Enforce security requirements
• Measure and monitor BYOD program with metrics
Paul Groll also described current efforts to tune government acceptable use policies for upcoming wearable devices. Some considerations include:
- Whitelist - What is allowed?
- Blacklist - What is not?
- Using Wi-Fi? Whose Wi-Fi?
- Using Bluetooth/NFC? Issues?
I ended my lunch keynote session by suggesting that wear your own device (WYOD) is indeed coming next, and it may become a major headache for IT departments. Like WiFi, the BYOD ship has left the dock.
Here are some recent articles on the coming WYOD revolution:
Internet of Things could bring a new economic boom - Computerworld USA
I urge government readers who have been moving slowly in this mobile space to get onboard the trend to securely enable BYOD in your current business situation. Otherwise, end users will just go around management and take these technology matters into their own hands - making the enterprise less secure.
Note: Photos by Dan Lohrmann unless otherwise noted.