Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

A Successful BYOD Policy Balances Usability and Control

Todd Neff | December 18, 2012

The idea of sensitive company data flying through the airwaves to computing devices the company doesn't own is enough to make most compliance officers' blood pressure rise.

Sooner or later, however, many of them will face this exact scenario. With the phenomenon of BYOD—bring your own device—most companies have had to make a decision to either let employees use their own tablets, mobile devices, and other personal electronic equipment for work or ban their use completely.

At some companies it might be too late to turn back the clock on prohibiting the access of business data on personal devices. “Honestly, a lot of organizations we talk to are not thinking, ‘How am I going to set this up?' It's, ‘How am I going to start managing this BYOD program that already exists?'” says Tim Williams, director of product management for Absolute Software, whose products focus on security and compliance around BYOD.

Employees have done company work on home computers since the dawn of the floppy disk. BYOD (also called BYOT, the “T” standing for “technology”; and also the less-snappy “consumerization”) represents something deeper. It's the formal corporate recognition that user-owned hardware—in particular iPhones, iPads, and their Android equivalents, but also notebook computers—has become a fixture of modern organizations. In a recent research note, technology research firm Gartner described BYOD as “the single most radical shift in the economics of client computing for business since PCs invaded the workplace.”

“Every business needs a clearly articulated position on BYOD, even if it chooses not to allow for it,” the authors added.

That position, Gartner, Forrester, and many others agree, must be fortified by a combination of IT infrastructure and crystal-clear policy regarding what devices get the green light; what company data employees should or shouldn't be accessing and what apps and Web services they must avoid for security and compliance reasons; and what happens when an employee-owned device goes lost or stolen or leaves the company with its owner.

It's easier to just say no—and, according to David Remnitz, leader of Ernst & Young's forensic Technologies and Discovery Services, some perhaps should. At minimum, he said, companies whose BYOD-candidate employees are steeped in sensitive healthcare or financial information should institute “an extraordinarily well-defined BYOD program to ensure that any device introduced into the environment follows a very tight series of compliance-oriented functions.”

Companies are increasingly looking for ways to make allowances for BYOD for several reasons; chief among them is the opportunity to cut IT costs. While the overall savings from BYOD depend on the organization, the amount can be substantial: Intel employees own 58 percent of the mobile devices they use, the company's Chief Information Officer Kim Stevenson recently told InfoWorld, generating an estimated $150 million a year in higher productivity and savings. BYOD is also environmentally sound, saving the production and shipping of duplicate devices—all those people with separate personal and corporate cell phones—multiplied by thousands of employees in a single large company alone. Foremost, though, employees just want to use their own devices.

“The reality is, BYOD is being forced upon the major corporations we interact with,” Remnitz says.

It's not just younger professionals who have grown up with mobile technologies and whose mobile-computing tastes are as particular as their tastes in music, food, or dress. It's also “the realization that technology is changing so fast and dynamically that one of the only ways to counter that is to have employees carry the technologies they prefer in their hand and pocket and briefcase,” Remnitz adds.

While technology is instrumental to instituting compliant BYOD programs, policy is the key, says Bill Ho, president of Biscom, which specializes in secure document delivery.

“Lots of control is good for IT and bad for the end user. Anything bad for the end user in 2012 isn't going to survive very long.”

—Tim Williams,
Director of Product Management,
Absolute Software

“I personally feel that the policy and education side is more important than the technology,” Ho says. “The technology is the easy part: you encrypt, you require PINs, you watch what apps are being installed, you put in encrypted containers and run corporate apps through mobile device management software,” Ho said.

Usability should be the starting point, Williams says. Take the example of Dropbox, file-sharing software that boasts 100 million users. A recent survey by BYOD software firm Nasuni found that one in five employees used Dropbox for work-related files. The compliance-related concerns with Dropbox, Evernote, and their ilk range from the strength of authentication, levels of encryption, and other data-protection considerations, as well as traceability and auditability limitations.  Among the leading scofflaws? Vice presidents and directors, the survey found.

“One of them said, ‘Oh, I didn't know that policy applied to me,'” says Connor Fee, Nasuni's marketing director.

Education and training is part of the answer, he says. But the Nasuni survey found that fully half the employees using Dropbox were aware of the company policy forbidding it. Fee says that, facing a wave of BYOD, IT departments need to start thinking less like system architects and more like marketers: talking to end-user “customers” to understand what they want, explaining what can and can't be done and why. Simply blocking a BYOD device's access to Dropbox is easy. Companies need to ask what employees really want from Dropbox.  “They're not using Dropbox because of a special brand loyalty to Dropbox,” Williams says. They use it because they want to have their stuff.”

Striking a Balance

Figuring out a middle ground means balancing corporate control with usability, Fee adds. “Lots of control is good for IT and bad for the end user. Anything bad of the end user in 2012 isn't going to survive very long,” he says.

Indeed, usability must be the starting point for any BYOD program. It's the employee's phone, after all, and they're saving the company money, at least on the hardware side, by using it. “So it has to start with making it easy for the user to get e-mail and get the docs and the apps they need to access company documents,” Williams says.


Below is a chart regarding BYOD From Gartner:

With the wide range of capabilities brought by mobile devices and the myriad ways in which business processes are being reinvented as a result, we are entering a time of tremendous change.

There are instances where current-state mobility costs can be cut, such as in the common case of replacing an existing BlackBerry device that provides mobile email and calendaring. To take an example, moving a 500-person mobile workforce running corporate-supplied BlackBerry devices at a cost of $90 per month to personally owned devices results in a 29 percent reduction in hard costs, using a standard $50-per-month reimbursement rate, while investing roughly $360 per user in new infrastructure, software and support (see Figure 1).

Source: Gartner.

There also needs to be some perspective on where to draw the line. Employees e-mail files, copy sensitive data to thumb drives, forget their laptops in airplanes, write their passwords on Post-It notes stuck on their monitors, and commit other transgressions. These are the folks the company should be thinking about when designing a BYOD program. “You can't get too wrapped up in malicious employees, because they're going to find a way to circumvent you anyway,” Williams says.

There are ways to sharply improve compliance while lessening IT-department headaches. First is establishing exactly what mobile devices can be part of the program and establish configuration rules such that they're part of a known inventory.

Policy and technology intertwine with the introduction of the aforementioned mobile device management (MDM) software. MDM systems can provide VPN-style conduits for secure e-mail; prevent copying or forwarding of sensitive files; remotely wipe all of a device's data or some portion thereof; provide secure Dropbox-style environments for mobile document sharing; and much more. Solutions abound, with vendors including IBM, SAP/Sybase, Symantec, Cisco, Citrix, VMware, Absolute, MobileIron,  Zenprise, Airwatch, Fiberlink Maas360, Good, and Nasuni, among others.

MDM software can lessen the compliance headaches of BYOD with some creative solutions to balancing usability and control. Absolute, for example, has a government client that allows iPad viewing of certain classified documents only during a certain scheduled meetings, then locks them down to forbid copying into other applications or forwarding by e-mail, text message, or otherwise avenues. When the meeting is over, the iPad automatically deletes the file, Williams says.

Their software must go hand-in-hand with the employee's understanding of how MDM technology will affect their devices in good times and bad. Policies might include a reminder that the secure file-sharing solution in the confines of the MDM—and not Dropbox—must be used. They will make clear that password protection of the device itself is now required and that multiple password misses or a report of a lost or stolen device will trigger a remote wipe of art or all of the device's data.

“You have to be sure that you're overseeing the introduction and upkeep of these devices and can pull the trigger and clear the data off one when it's known to be outside your control,” Remnitz says.

Employees may not like it, Ho adds.

“It's a tough balance to provide security and also make it easy to use,” he says. “Add a couple of extra clicks and people complain loudly.”