Inside the Mobile Model: Confronting the Middle-Market BYOD Conundrum

Today’s middle-market executives can fit an entire desk’s worth of vital business information inside the palm of their hands – or pockets.

Bring Your Own Device (BYOD) work models, enabling employees to use personal smart phones, tables, laptops and cloud solutions to access business data and applications, are soaring in popularity. With the increasing adoption of smartphones and tablets, the “consumerization of IT” inside the enterprise is a trend that shows no signs of slowing. In fact, according to a recent Gartner Study, 70 percent of mobile professionals will conduct business through personal smart devices by 2018.

There are obvious upsides to BYOD. For middle-market businesses, BYOD can reduce expenses on physical IT equipment by enabling employees to connect to work applications through the cloud from personal devices. According to Magic Software’s 2013 State of BYOD study, nearly one-third of businesses expect BYOD to reduce their operating costs this year.

At the same time, BYOD gives middle-market employees greater flexibility to work from anywhere, at any time, on a device they selected. This increases employee satisfaction and boosts productivity. Clearly this is great for businesses, or is it?

There is a potential dark side to the consumerization of IT in the business environment. The great benefits offered by BYOD also can create great risk. While BYOD models can reduce costs and improve productivity, they also pose threats that can cripple a business. The free exchange of data between business devices and personal devices opens confidential business information to hackers, viruses and cyber attacks from those wanting to use corporate data for malicious purposes.

Just this month when addressing members of the Senate Intelligence Committee, James Clapper, director of national intelligence, testified about the rising threat of cyberattacks on the U.S. and U.S. businesses saying, “These capabilities put all sectors of our country at risk.”

Closer to home, the Winter 2012 Cbeyond Small Business Snapshot survey revealed that vast majority (85%) of SMB leaders say they use security software to protect business computers from viruses, spyware and other Internet threats. Additionally, 58% said they have found spyware or viruses on business computers, and nearly a third (32%) had experienced a cyber-security issue or breach in 2012.

This is why businesses – especially mid-size enterprises with lean IT departments – need to carefully wade into the BYOD world. While cost savings are attractive, executives have to factor in the potential threat of losing control of corporate information.

Good, bad or in between, the reality is that BYOD is already practiced in most businesses today and is not likely going away. As a result, it’s time for business executives to proactively ensure their organizations are protected with the policies and security needed to minimize the threats that come with BYOD. And the time to act is now.

Many mid-size businesses have not considered the impact of consumer technology in the workplace. In fact, according to Virgin Business Media, only one-fifth of large firms have a BYOD plan in place. That’s were middle market businesses have the advantage. They are nimble and often better able to quickly address challenges and move forward.

The challenge lies in putting the same levels of control around a personal, rather than corporate device.

“I have seen executives lose iPads that had very sensitive data without as much as a device password to protect the information,” said Eric Dykes, chief executive officer with UTG - Trusted IT Solutions, a provider of IT solutions to enterprises of all sizes throughout the Southeast.

“Today’s smartphones and other devices have as much capability to process corporate data as a PC or laptop. In the wrong hands, a phone that is connected to the corporate network gives as much access as if you invited a hacker into your office and gave them a seat at one of your workstations,” he continued.

The following checklist can help you evaluate where your company is on the path to successful BYOD and where it needs to improve. Essentially, the path runs through “The Four Ps”:

Purpose

As fundamental as it sounds, the first step is to create a successful BYOD policy that works for both your company and its employees. To do this you need to understand what data is most at risk should it move outside a company’s internal protection. Businesses need to define their data scope first so they know where private data is kept and how it is accessed today.

When doing this, list the type of information you store, rank it in terms of how critical it is to keep it confidential, and how it is accessed today. For example, data such as social security numbers and bank account information must be kept confidential at all times and should only be accessed through secure processes or applications.

Policy

A solid BYOD policy does not need to be lengthy, or require significant resources to complete. In fact, emphasizing a few core tenets repeatedly will likely be more effective than trying to cover everything up front.

This plan should specify access to business programs, documents and information based on need. For instance, a company’s accounting team should be the only ones allowed to access accounting documents, and when accessed remotely this class of information must be accessed thought a secure application or network connection. Saving company accounting information on a consumer file-sharing service or a thumb drive so it can be worked on off-site on a home computer should be prohibited.

In any business environment, passwords can be a blessing and a curse. They often remain the lone access obstacle, yet technologies that break password protocols are advanced. To that end, employees need to be reminded not to distribute corporate passwords to external sources, to always log out of remotely-accessed websites, and to use strong passwords.

Having a BYOD policy, while not foolproof, can help businesses guard against compliance and regulatory challenges. Companies are still responsible for maintaining compliance even outside their physical offices and obviously, BYOD elevates this risk. While technology can be used to help make this happen, often times spelling out what is expected of employees so they know and understand it is just as important.

People

Access to company information, beyond the walls of your enterprise, needs to be carefully thought out and might even seem counterintuitive. For example, the IT group or manager, in most businesses, holds the “keys to the information kingdom” and therefore should have the tightest restraints on how and when he or she can access information. Doing so will help minimize the potential for a data breach involving your most sensitive data.

Meanwhile your sales team will likely need “on the go” access to information but the scope of information they can access should be narrow. When moving down the BYOD path, look at your employees by role, department and location and then determine their information access needs.

Products

File sharing and email access are the two areas where a business and employees can inadvertently put confidential information at risk. Most don’t consider how easy it is to move a sensitive file to a personal desktops or device and forget it is there, or open a “confidential” email on a mobile phone. To safeguard against this information escaping, encourage employees to only move certain files if absolutely necessary, and routinely clear browsing histories, desktop icons and email junk folders.

When it comes to evaluating BYOD solutions, the best products are not always the ones that micro-manage each individual control or setting. For example, the right business-grade cloud server partner can work with a business to make sure their employees have secure, off-site access – across a variety of devices – with established controls and safeguards to ward off potential threats.

Additionally, business executives should consider providing employees with smart phones and tablets that they can use anywhere. While this may be a less popular and more expensive approach, it may be safer in the long run. Under this model businesses can keep a tighter watch on what items are moving around its servers and email engines, while also reducing the threat of a disgruntled employee freely sharing contacts or files through his or her personal device. In addition, should an employee leave the company, that device – loaded with company contacts and possibly other information – does not leave as well.

Ultimately, a hybrid approach that grants employees remote access with the right security settings and potentially through company-provided devices may be the best route for businesses adopting BYOD.

What’s Next?

The proliferation of consumer technology in the office will continue to grow but if you’re ready for it, it will bring more positives than negatives. Taking the time now to understand how your employees are accessing company information remotely, and reinforcing basic security and access principles, can better secure critical company information while delivering more sustained systems and desired cost reduction.

After all, investing some mental and monetary capital now in establishing policies and technology to govern BYOD is the soundest defense against the millions that could be lost should something go wrong.

The internet is a great starting place when building a BYOD policy. There are numerous templates available to help guide you through the process. Here’s one:

• The White House’s Federal Chief Information Officer:

About Jeff Jenkins

Jeff Jenkins serves as Cbeyond’s chief information security officer (CISO). Cbeyond, Inc. (Nasdaq: CBEY), a cloud and communications services provider, is the technology ally for small and mid-sized business. In his role, Jenkins is responsible for managing the company’s information security program and providing a secure computing environment for both Cbeyond and its customers. Visit www.cbeyond.com.