- IT security groups should be proactive in establishing policies that govern the use of employee smartphones and tablets in the enterprise to improve their reputation as productivity enablers, rather than stumbling blocks.
- Key considerations include what devices to allow, how corporate data and apps will be accessed, where data will reside, and what the users’ risk profiles are.
Some recent surveys suggest that while many enterprises are now allowing employees to use their own devices to access corporate networks and applications, few have established formal usage policies for those BYOD users. One study published last month by security awareness training company KnowBe4 found that 71% of businesses allowing employees to use their own smartphones and laptops for work-related tasks did not have usage policies and processes in place to secure and support those devices. This is the perfect opening for enterprise security and IT risk groups to seize the day and take a leadership role in defining the enterprise’s BYOD policy, setting themselves up as enablers, rather than roadblocks to improved employee productivity.
IBM’s own IT risk department is a great poster child for this endeavor. Rather than wait for the broader IT team to get their arms around BYOD, that department got out in front of any such initiatives by making the business case for allowing employees to bring their own smartphones and tablets, arguing that BYOD allowed employees to use social media to help meet IBM’s business aims. That leadership allows the department to make security a part of the enabling technology for BYOD. Of course, the IT risk team had at their disposal IBM’s own policy management and orchestration tool, Tivoli Endpoint Manager, but that was just the starting point. IBM was also an early adopter of enterprise app store technology. Such an endeavor will not be easy, and it will require collaboration with different lines of business and, depending on the business, other departments such as legal and HR. It will require thinking through which devices to allow and which to prohibit; the risk profiles of the employees who will be granted BYOD privileges; how corporate data will be accessed; and what users will be allowed to do from their devices. In IBM’s case, it created 12 different user profiles that were used to determine what the end user was allowed to do on their smartphone or tablet.