3 rules for doing BYOD right

With these three basic guidelines, BYOD can work for everyone without unfairly burdening IT

It's a compelling statistic: 83 percent of companies now allow employees to use their own mobile devices for work -- the quintessential definition of "bring your own device" -- according to the most recent data from Aberdeen Research. Once you factor out the very-high-security industries such as defense, you're left with, in essence, all companies.

BYOD adoption rates January 2008 to July 2012 (source: Aberdeen Research)

Source: Aberdeen Research

Despite the fears expressed in 2010 when the BYOD phenomenon rose to attention, devastation has not ravaged the earth. In fact, it must be a good thing for companies to have accepted the notion so widely. A big reason, of course, is that employees work on average an extra day a week for free -- without being asked, much less paid -- when enabled via BYOD.

[ Read InfoWorld's guide to mobile device, app, and information management tools. | Subscribe to InfoWorld's Consumerization of IT newsletter today. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld's 42-page "Mobile and BYOD Deep Dive" PDF special report. ]

Although BYOD as a concept is now generally accepted, how it's managed in practice remains all over the map, with many organizations making it unnecessarily complex for both users and IT. Some organizations have even done what IT has long feared: dumped the burden on IT once BYOD is in operation.

In the early days of BYOD, some of the fears were relatable, though they proved to be ill-founded. Companies were understandably conservative, not knowing what would happen in practice. But now that we have several years of BYOD under our belts, it's time to move to what works best for all.

I've seen organizations make this migration. For example, one government agency used to ban access by non-agency-issued mobile devices and non-agency-issued PCs, then began handing out VPN access for home-based PCs on a very limited basis, with waits of up to a year for approval. Next, it allowed iPad and iPhone access to email if employees donated their devices to the agency, which would then hold legal authority over the device. Never mind that signed policies can easily and effectively get you the same results -- who owns the device doesn't matter. Finally, it now does what pretty much everyone should do: Allows access by any device that meets its technical security policies by any employee whose manager signs off on the access.

It really should be that simple from an access perspective. As you'd expect, the employee must agree to access and information-management policies, reinforcing the typical behavior (such as no forwarding through personal accounts) and responsibilities. For example, the employee must notify IT of a lost or stolen device and be prepared to have the device first locked and then wiped if not recovered, including possible loss of personal information not backed up by the user elsewhere. That's what iTunes and iCloud bring to the iOS world, and what Samsung and others partially offer for Android in their own accounts.

Technology should not be the focus of access and information management. Yes, it can help monitor and steer employees to desired behaviors, but in no way can it replace the responsibility of individuals to do the right thing in the computing contexts they choose to be in -- in a consumerized world, it's not just devices and software that knowledge workers choose to use, but also the work processes. Policies are all about those work processes and how they are expressed no matter what technology is in use. (Previously, I've provided an in-depth look at the technology side of planning for, implementing, and secure BYOD.)

1 2 3 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies