by Ojas Rege, VP of Product, MobileIron
Nowhere is the unease between the IT team and consumerization of IT trend more clearly reflected than in a BYOD program. In this world, consumer preference, not corporate initiative, drives the adoption of technologies, but many were not built to meet requirements. As Mobile IT teams plan for BYOD, two of the most critical things to figure out at the very beginning are establishing a trust model and understanding what BYOD means in terms of legal liability.
Trust is the foundation for enterprise security — which users do I trust with what data under what circumstances. Every major organization has gone through data classification to establish this underpinning for security policies. BYOD adds another layer because the trust level for employee-owned devices may be different than for corporate-owned ones. Privacy policies will vary and user expectations will differ. On corporate devices users may accept not being able to use social networking apps, but that type of policy does not work for personal devices.
Building a BYOD trust model requires:
- Defining remediation options – notification, access control, quarantine, selective wipe. These may differ in severity from BYOD to corporate devices. On a corporate device the remediation might be an immediate full wipe. On a personal device it may be a less severe action such as blocking enterprise access.
- Setting tiered policy — ownership is now a key dimension. Personal and corporate devices will each have different sets of policies for security, privacy and app distribution.
- Creating a sustainable security policy — if the trust level of the personal device is so low that security requires extensive usage restrictions, the employee’s personal mobile experience will be damaged and neither the policy nor the BYOD program will be sustainable.
- Does BYOD increase or decrease corporate liability? All enterprises have long-standing approaches to assessing the risk of employee actions and the corresponding liability, ranging from unsecured use of company data to accessing inappropriate applications or websites. BYOD introduces a new wrinkle because the device on which these actions may take place is not company-owned.
There are several important considerations:
- Defining baseline protection for enterprise data on BYOD devices. All companies must protect corporate data on the mobile device but different protections may be required on different devices. For example, more protection against over-privileged consumer apps might be required on Android vs. iOS.
- Assessing liability for personal web and app usage. Employees expect to use their personal device however they wish. Is inappropriate use still a liability for the company, even if it doesn’t affect enterprise data?
- Assessing liability for usage onsite vs. offsite, and within vs. outside work hours. Should usage be monitored when at work but not when away from it? The boundaries of work and personal time blur for many knowledge workers, so this is a difficult analysis with hard-to-enforce outcomes.
We have seen large organizations decide their corporate liability decreases if they move to BYOD. It is limited to protecting corporate data and they are not liable for personal web, app, or other activity. We have also seen organizations decide their corporate liability remains unchanged. Each should seek its own legal advice on how to frame and assess liability variances between BYOD and traditional mobile programs.
The value of a well-designed BYOD program is increasing employee satisfaction and speeding up the rate of technology adoption in the enterprise. However, it’s critical to remember that the initial success will depend on early preparation and an understanding of the nuances of complex issues such as trust and liability.