Solutions to deal with security and data privacy issues have sprouted up in droves, but is there a good fix to the people problem?
The BYOD phenomenon is becoming more entrenched in government, and with good reason. Bring your own device promises potential cost savings and increased productivity. Moreover, employees want it. They’re used to accessing the world through their tablets and smartphones, and taking their work on-the-go feels like a natural extension of their mobile lifestyles.
Faced with tough fiscal choices, many city and state managers find BYOD a tempting proposition. In a 2013 study, Cisco’s Internet Business Solutions Group said BYOD could net employers up to $3,150 per employee each year on device expenses and increased productivity. BYOD employees gain 37 minutes per week in productivity, while spending more than $1,500 a year on expenses related to their devices.
But BYOD is hardly a slam dunk. As with any emerging technology, the transition to this new paradigm presents a range of hurdles to IT managers trying to do what’s best for the jurisdiction while simultaneously supporting the desires of end users.
Security is a primary concern, as work data increasingly commingles with private information and travels outside the office walls. But there are other sticking points, including concerns about privacy, issues of overtime and the burden on IT of having to support a broad range of devices, to name a few.
Public-sector technology leaders say these challenges can be overcome, but it takes some creativity and forethought.
Even before concerns about technology, IT leaders are wrangling with questions about people. Perhaps more than any other facet of IT today, BYOD challenges technology managers to consider the end user, both as an employee and as an individual with specific personal needs. At the same time, the employee’s relationship to the workplace must be addressed.
Take, for instance, the issue of discovery, the possibility that participants in a lawsuit could demand access to the content of a personal device in order to investigate work-related information.
“Now somebody wants to see if you have documents on your device that pertain to subject X. What does the law really say about that?” asked Minneapolis CIO Otto Doll. “We don’t see the laws as being clearly written to say you can only look at the business side of the device and not the personal side. It is not very clear how someone would ascertain just what is the business side versus the personal side.”
BYOD Policies 101
BYOD management starts with a sound policy for acceptable use. There are many variants out there in this fast-changing realm. The sample policy elements here are drawn from the federal CIO Council, the state of Michigan and the Society for Human Resource Management.
Surrendering a Device: The owner of a portable device may be required to surrender it, for example, to comply with electronic discovery requirements imposed by the courts or as part of an acceptable use investigation.
Sensitive Data: Storing of sensitive data such as personally identifying information on any portable device is prohibited.
Storage of Government Data on Internet Sites: Data related to government business cannot be transferred to Internet sites with which the agency is not under contract.
Personal Use: Employees must handle personal matters on nonwork time and ensure that friends and family members are aware of the policy.
Separate Ringtone: All employees must use a preset ringtone and alert for work-related messages and calls.
Remote Control: In an effort to secure sensitive data, employees are required to have remote-wipe software installed on their personal devices by the IT department.
Privacy: Government employees do not have a right to, nor should they have an expectation of, privacy while using government-provided devices at any time.
Lost Devices: If the device is lost or stolen, the user will notify the help desk within one hour.
Some see the issue of discovery as a major impediment, largely because of employees’ reluctance to make their private data public. “The city or state has to provide access to relevant public documents. This means the government has to have access to that device,” said New Hampshire state Rep. Bill O’Brien, a former state speaker of the House and now COO of Brainloop, which delivers collaboration tools. “Yet the last thing any employee would expect is to have their devices summoned into court.”
Even without the threat of litigation, it’s a real issue: New Hampshire has received as many as 203 requests for open records. The state’s response has been straightforward, mirroring what many say is the best approach to employee-based BYOD concerns. That is, candor upfront. Employees bringing their own devices are told at the start that the state has the right to demand that any content be made available as needed.
Privacy is just one aspect of the “people” equation. Of further significance are questions of compensation — both in terms of device usage and work hours.
In Napa County, Calif., where several hundred of the county’s 1,300 employees bring their own devices, CIO Jon Gjestvang has tackled the issue directly, deciding early on that employees should receive some form of stipend if they make productive work use of their own devices. The county will pay $35 to $120 a month to cellphone users, along with a $50 to $60 data allowance.
“It was based on your job, how much we thought you would be calling for business, and the data stipend was based on roughly the cost of a data plan at the time we made the policy,” he said. The basic rule for compensation: “It’s available, but there has to be a business reason for it.” And that’s up to department heads to decide.
It seems simple, but there are complications. Governments are supposed to be saving money, and yet the stipend, in some cases, feels like an expense, even if the user is gaining productivity. “If I give you $50 to come in with a phone, that’s still $50 that I am paying,” Doll said.
One further point on the human element: When are you at work? And should you be paid for that time? Will hourly workers claim overtime for work done at home? Is this a convenience or a new way for management to squeeze out more work for less pay?
“You need to define those parameters, that there is no additional requirement to do more work because of having these devices. It is only intended for the convenience of the employee. That has to be in every single policy,” said Jerry Irvine, CIO of Prescient Solutions and a member of the National Cyber Security Task Force.
Some jurisdictions have started addressing the overtime question explicitly in their BYOD policies. In Rancho Cordova, Calif., hourly employees using personal devices outside of their normal work schedule can work up to seven additional minutes per day without needing to report it. Anything beyond that, however, must be accounted for on the employee’s timesheet. The rule aligns with the city’s policy of rounding minutes worked to the nearest quarter hour.
While IT must consider the human element, there also are a range of technology-related impediments in play. One of the most significant of these is the matter of device management.
“When we started allowing access back in the BlackBerry days there was one device, one operating system. It was pretty simple,” said Gjestvang. “With the introduction of multiple devices, that has opened up challenges for us.”
Gjestvang’s team has installed a server separate from the BlackBerry server and developed software components to manage multiple devices. Set-up isn’t hard, he said, but upgrades can be a bear. A recent upgrade to the email system didn’t take on every device, in spite of an otherwise smoothly operating mobile device management system, and technicians spent time making adjustments. “Typically this would not have been a big deal,” he said.
Similar issues have come up when setting up new business applications. “Apps don’t necessarily work the same on one mobile device operating system as another,” Gjestvang said. “Some installations have taken a fair bit of manual tweaking.”
Sometimes issues arise on individual devices. One way to simplify that situation: Wash your hands of it. Gjestvang’s team as a rule will not offer support for personal devices. “We won’t just hang up on them, we’ll tell them what to do next, whether it is taking it to their carrier or dealing with some issue within the device,” he said. “Anything else really just stretches IT too thin.”
Rancho Cordova IT Manager Jay Hadley takes a similar approach. “We are always willing to assist them, but there is a line there where we can only do so much,” he said. “In 90 percent of the cases when a user comes to us with an issue, it is just a small glitch or a misunderstanding about how to use it. But there are times when there is something going on that is on the carrier side. Then there is nothing we can do.”
Hadley stretches his resources further by posting information about devices on the city intranet, including how to choose a device. “They can read it themselves, and if they need more information we are glad to sit down and help them with that,” he said.
Even if they can reduce the complication by offering only minimal support, IT managers still have to wrangle with obstacles inherent in the devices themselves. As Gjestvang noted, the same apps won’t always play nicely on multiple devices.
But sometimes IT leaders bring the problems on themselves by trying to take an overly simplistic approach to launching mobile apps for BYOD. Israel Lifshitz, CEO of Nubo Software, said it won’t do just to try and port a desktop function onto a range of mobile devices.
Often, a multifaceted desktop tool is wedged onto a mobile device and asked to do too much. “For example, you can see that the work of one Outlook desktop application [when shifted onto mobile] uses at least five different apps: email, calendar, contact, notes and tasks,” he said. The result? Diminished user experience.
“The best solution is to develop apps for mobile, to provide native apps,” Lifshitz said. “Using antiquated desktop applications on mobile platforms will not work, as the typical uses of mobile apps are totally different than desktop applications.”
It all seemed so easy. Employees would bring in their tablets and phones, their iThisOrThat. IT would load them up with enough software to give them access to their needed work materials and send them on their way.
Well, it probably never seemed quite that easy. IT folks are savvy enough to realize that this quiet revolution is going to come with complications. Even a couple years into the BYOD groundswell, many are still just discovering the magnitude of the challenge. Human concerns, technological adaptations — and then there’s security.
In a sense, this isn’t hard, really. Put in enough safeguards to keep government data secure from any incursion; lock it up tight. But then employees won’t be able to get in either. We’ve killed the patient to treat the disease. Before looking for remedies, therefore, it’s best to understand the risks. What exactly are the security challenges facing BYOD?
A leading concern involves the nature of the devices themselves and the way people use them. “Most people don’t protect the data in their personal smartphones the same way their data in a work device would be protected,” said Michigan Chief Security Officer Dan Lohrmann. “There aren’t the same mandates, and ultimately people don’t perceive the risk, so they don’t take the precautions.”
Without those precautions, it’s easy to see a catastrophic scenario. In Napa County, Gjestvang voices the worry that is foremost on the minds of many IT executives dealing with BYOD: data loss. “The big concern is about the data going out, anywhere from personally identifiable information to protected health information,” he said. Maybe it happens via a breached firewall or a lost device. The prospect of outsiders gaining access to inside information is the leading worry.
Gjestvang’s solution is not atypical. Workers can sign into county systems using a mobile device management system, but no county data will reside on their devices. Everything comes in encrypted, containerized and password protected, and it can be wiped remotely.
Hadley makes use of a mobile device management solution, a mechanism through which IT managers can program in rules and establish routines intended to give strict guidance to the movement of data over the network. But it’s not a perfect fix.
“You can put some policies on mobile devices, but we still don’t have the same comfort level that we have when we put policies on workstations. We can tell it to require PINs, we can tell it to lock devices, but it’s still not satisfying,” he said. “Suppose the mobile device gets a virus, for example. I want something that will report that back to us, and I haven’t seen anything like that.”
Faced with the same issues, others have taken a range of approaches, said Dux Raymond Sy, chief technology officer at AvePoint Public Sector:
Third-party providers lock down data on employees’ devices, often through the use of additional verification methods such as geofencing and two-factor authentication.
Government assumes control over an entire smartphone or tablet through mobile device management or other means. Containerized solutions create partitions between personal and work-related data. Secure file sharing and collaboration tools allow content sharing while maintaining control over data.
In King County, Wash., IT Enterprise Manager Bob Micielli frets the mundane, the proverbial laptop left on the train. He implemented a couple of layers of safeguards against such an eventuality, relying especially on cloud provider MaaS360. Not only does a cloud solution help ensure data is safely out of reach from malicious actors, it also lightens the IT load.
“It gives us the flexibility to access the information from anywhere you are,” Micielli said. “You don’t have to sign into our environment, you can use the cloud portal. So rather than us building the servers, supporting the software, supporting the applications, we let the cloud provider handle all that. It means we don’t have to set up an entire IT stack.”
Despite such potential solutions, few in IT are comfortable with the state of BYOD security: There are just too many unanswered questions.
“We know we just don’t have the same tools that we have on laptops and workstations,” Hadley said. “I haven’t seen anything that totally satisfies us.”
Never miss a story with the daily Govtech Today Newsletter.