BYOD: Can everyone bring toys to the office?

“BYOD” denotes “Bring Your Own Device”; whereby

employees bring their own home-purchased technology

into work. It’s a phenomenon that’s here to stay. Jessica

Keyes, Ph.D. is president of high-tech management

consultancy, New Art Technologies, Inc., and an Honorary

Lecturer at the University of Liverpool. She says, “Technical

wizardry is no longer purely the domain of the IT

department. Geeks are now everywhere. Many of them

have grown grow up with computers from birth. These

workers want to make their own technology choices,

whether they are on the ‘approved’ list or not, and whether

the company pays for it or not.”

This is, surely, a win for your business. Employees pay for

their own equipment, and pay to

maintain it, too. It’s also usually up to

current specifications: better than

you might be able to afford; and likely

full of current software and apps, too.

Plus, your team are happier, because

they get to use kit with which they’re

already comfortable. There’s no need

for training or familiarisation; indeed

most users of consumer IT won’t

even have bothered to read the

manual. It’s a world of turnkey

computing.

Keyes adds that the comfort factor can directly lead to

productivity gains: “It has even been suggested that

employees will work longer hours because they will be able

to interact with their systems, using their tools of choice, at

any time of day or night.”

So, what’s not to love? Well, imagine if you ran a taxi firm,

and any driver could turn up with any old jalopy and start

ferrying passengers about. This is a good analogy for the

sort of challenges associated with unregulated BYOD. Here

are just some of the considerations, as outlined by Cesare

Garlati, Co-Chair of the Cloud Security Alliance Mobile

Working Group:

Getting everything to work together. When a

business could dictate its technology, it was always

consistent. Homogenous technology is cheaper to

buy, maintain and connect. But with everyone

connecting different smartphones, laptops, tablets

and even home computers to the company

network, it makes managing them – and the many

different applications they may be running - very

complicated.

Controlling security.

Whether you have an IT department

(as large companies do), an IT

contractor (as midsize companies do)

or you try to juggle technology for

yourself (as small businesses do),

BYOD represents a security

nightmare. You can’t completely

prevent your employees from

accidentally uploading nasties like

viruses or spy-software onto their

machines; or visiting dodgy websites.

Garlati adds, “Plus, the technology and

applications are both consumer-grade, not

enterprise grade; and will need third party security

products which previously would have been

provided by the IT team”. As these devices are

mobile, that security regime needs to be delivered

over the air, too. A range of new services like

Microsoft’s Windows Intune deliver systems

management from the Cloud, and are evolving to

include mobile device security regimes. It’s not a

moment too soon: as Keyes notes, “McAfee, the

“Technical wizardry is no longer purely

the domain of the IT department.

Geeks are now everywhere. Many of

them have grown grow up with

computers from birth. These workers

want to make their own technology

choices, whether the company pays for

it or not.”

security company, says that over 4% of

smartphones are lost or stolen each year. Each

unsecured stolen or lost phone opens the

organization up to the chance of a breach of

corporate systems and/or data.”

Providing support. If you do have a support

contractor or in-house function, the cost of trying

to solve problems on users’ home machines (which

might even be their problem, not yours…) can

easily outweigh all the cost savings derived from

having them use their own equipment.

These, however, pale into insignificance next to

the operational and legal challenges which could

be presented by the lack of an Acceptable Use

Policy (AUP) which accounts at least in some way

for BYOD. If you don’t have one, BYOD should be

your cue for action. That said, you’re in good

company: Garlati says that, having conducted over

two years of extensive research in large

organisations, less than 10% of businesses had

BYOD-specific language in their Acceptable Use

policy, leaving at least 80% exposed to employee

litigation. See ‘Design your BYOD Acceptable Use

Policy’ for more details.

So, should we panic and close the doors to outside kit?

Keyes says no: “Despite all the brouhaha over BYOD, the

world has not radically changed.” The key to successful

BYOD is a comprehensive policy, plus some good

technology. Says Garlati, “Management of the device needs

to be non-touch, somehow, because either you don’t have

an IT team, or if you do, they won’t be able to cope anyway.

So the Mobile Device Management layer is crucial.” Luckily,

says Keyes, “traditional asset management has been

improved just for this purpose. MDM functionality typically

includes over-the-air distribution of applications, data and

configuration settings for all types of mobile devices,

company-owned or BYOD.”

HOW MICROSOFT CAN HELP

Microsoft Office 365 brings together online

versions of the best communications and

collaboration tools from Microsoft. Subscribe

to web-enabled tools that let you access your

email, documents, contacts, and calendars

from virtually anywhere, on almost on any

device. Microsoft Office 365 is available from

£3.90 per user per month for up to 50 users

and from £5.20 per user per month for 50+

users.

Case study: Toyota Racing Development One of the reasons for BYOD’s unstoppable popularity

is the clear business benefits of portability and

mobility. Businesses of all sizes have purchasing

challenges: small businesses are cash-poor; larger

companies are slow-moving. Employees find it easier

to bring their own smartphones, tablets and laptops

into work – because it makes their work-lives easier.

But with security a major concern and improvements

in productivity essential, can Microsoft’s mobility

platforms meet the most stringent of business and

security needs? Well, if you’ve ever watched Formula

1 on TV, you’ll know that, in motor racing, every tenth

of a second counts, and technology is key to saving

time on the track. That’s true at every level of the

game.

Toyota Racing Development (TRD) differentiates itself

within the hyper-competitive racing business through

technology innovation. During testing, a typical

Toyota stock car is equipped with more than a million

dollars’ worth of instrumentation that monitors car

and driver performance; and since 2007, TRD has

developed racing software for teams to analyse this

information to improve performance and win races.

“One of the biggest differentiators between TRD and

our competition is that we have invested heavily in

Windows software,” says Steve Wickham, VP of

Chassis Operations at Toyota Racing Development.

“Recently, however, we’ve been getting pressure from

teams to improve communications and to introduce a

more mobile computing platform that can be used

trackside.”

To deliver a more intuitive, mobile computing

platform for trackside information exchanges in the

garage, TRD upgraded its racing software to run on

the Windows 8 Enterprise operating system. It

deployed its new, touch-enabled application, called

‘TRD Trackside’, on the Surface Pro tablet.

“Competitors are working all around us in nearby

garage stalls, so protecting our data is critical,” says

Darren Jones, Group Lead for Software Development

at TRD. “We chose Windows 8 instead of the iOS

because we get enterprise-ready security, the

familiarity of the Windows development environment,

and a touch-enabled interface.” Wickham adds, “It’s

an exciting new software tool for us. Now I’m just

waiting for that email after a race weekend that says,

‘Thanks for the software - it helped us win the race.’”

Design your BYOD Acceptable Use Policy

Lawyers are still arguing over the intricacies of BYOD

Acceptable Use Policies (AUP). In truth, it is probably

impossible to define a watertight legal framework at this

moment. However, even the smallest company can benefit

from identifying the challenges and mitigate them by

having clarity on paper where possible. Our experts, Cesare

Garlati (CG) and Jessica Keyes, Ph.D. (JK) offer this powerful

Top Ten as a starting point:

1. Privacy (CG). Mobile Device Management tools are

the software which secure company information

when it’s on a mobile device, whether connected

to the company network or not. That’s fine when

it’s a company computer, but what if you’re

monitoring traffic on an employee’s PC? Without

clear rights and responsibilities, this represents an

invasion of privacy, or possibly even hacking.

2. Who pays for what? (JK). When an employee uses

their own device for both work and play, overages

of both phone and data usage can easily occur.

Who pays for what must be clearly spelled out.

Your policy should precisely define which

categories the business will cover, and which not.

This will also indemnify you against any potential

fringe benefit tax issues.

3. Third Parties (CG). Personal devices are often

shared around the family – think of the laptop or

tablet which Dad shares with the kids, for example.

Even a watertight acceptable use policy can’t be

signed on behalf of other family members. Your

employees cannot be held responsible for their

kids’ use of a family device: if that affects your

attitude to data, then it also ought to affect your

attitude to BYOD.

4. Work v. Play: what we do after hours (JK). The

fundamental challenge of BYOD is differentiating

between work activities and what employees do

when off the clock. As ever, on a company-

purchased device, AUPs can clearly define what

users may do. On an employee-owned device,

things are much less clearly defined. There are

plenty of situations where an employee may be

using their device, in their own time, and therefore

the relevance of their actions may only be

apparent because the company has been able to

discover it at a later date; a discovery which would

not have been possible if the home/work gulf had

not been breached. What, for example, if an

employee makes a defamatory or discriminatory

remark on a social network, or even in a private

email?

5. Work v. Play: what we do in work (JK). The same

issues apply on the job. Even on their own device,

it’s unacceptable for an employee to engage in

harassment, or to compromise workplace safety

(for example by texting whilst driving).

6. Company responsibility for personal data (CG).

Garlati notes that his own son woke up one

morning and, in an understandably desperate bid

to play Angry Birds, tried multiple passwords on a

tablet and thus triggered the Remote Wipe

security function. That’s a great security tool,

rightly mandated by the company to protect its

data. But when the wipe occurred, what about all

the personal photos etc. on the machine? It is

arguable that the business could be responsible for

them – even if the wipe was caused by a genuine

thief!

7. Licensing (CG). Home computers usually include

home-use licensing of software. If that software is

then used for commercial purposes, not only is the

employee breaching the terms of their license, but

the company can be accountable as an accessory

to the license infringement. Microsoft offers

licenses of Office software under Office 365 Small

Business Premium to resolve precisely this

problem.

8. Your HR Conduct (JK). The electronic record of an

employee’s device usage may be used against you-

especially after acrimonious terminations. It could,

for example, show that an employee is working all

hours of the day and night (even without your

knowledge) – which might bring up issues of

liability for unrecorded overtime, or minimum

wage problems.

9. Device Disposal (CG). It’s an employee’s right to

dispose of their old property however they want.

There are apocryphal stories of phones left on

planes and in taxis ending up on eBay. Businesses

must, of course, require Remote Wipe functions to

be activated, and an AUP should also include the

condition that company data is rigorously removed

before planned disposal.

10. Litigation (CG). Finally, if your company should find

itself mired in litigation, the court can seize devices

for ‘e-discovery’; i.e. the hunt for electronic

evidence; even if it’s a personally owned device.

Your employee probably won’t get it back soon, if

at all; and their personal content will likely be

exposed.

Using the Cloud to control BYOD Kevin Meager – Olive Communications

BYOD and the Cloud are both buzzword trends right now,

but neither is particularly new. The Cloud has been around

as long as the internet itself, and people have used their

own devices for a long time too – you may remember

putting syncing your contacts to a ‘Palm Pilot’!

What’s changed is that both technologies are

now prevalent, mass market, connected by wi-fi

rather than cable, and therefore what IT people

call ‘frictionless’ – i.e. ridiculously easy.

Anyone can do it, and that’s why the perceived

risk of insecurity with BYOD is greater. IT people

aren’t being spoil-sports: BYOD is fabulously

powerful, but it can mean that both employers

and any IT Support they may have completely

relinquishing control over the corporate

network, and that’s an open invitation to

hackers.

The ideal outcome is therefore to get the benefits of BYOD

– better, faster business from happier employees– whilst

keeping enough control to minimise the security mistakes

that untrained people can make. This is where cloud

services like Office 365 and Windows Intune are useful.

With Cloud tools, you can have many of the security

functions and policies of a server without the maintenance

price tag which so many smaller companies found

prohibitive (and therefore lived without). With Office 365,

you can block unauthorised or hopelessly insecure devices.

You can make sure that mobile devices are password

protected; essential if they get lost – which they do. It

allows business owners and employers to maintain at least

some control over connected devices.

Another function of professional Cloud services in bringing

control back into the business is in reducing the use of

mobile Apps. There is a huge proliferation of messenger

and file storage Apps – there are literally thousands on the

market. Many are free, and we think they’re safe because

they’ve passed the test to be allowed onto a

manufacturer’s App Store. But the legal position regarding

personal or company-confidential data may be

very different indeed.

An unauthorised App could be storing personal

data about customers on a system which

doesn’t conform to the Data Protection Act at

all. It could be hosted in a wholly unregulated

country. If, instead, you store your information

in the Microsoft Cloud using Skydrive Pro or in a

SharePoint Workspace using Office 365, you

absolutely know that the data storage is

compliant with EU Safe Harbour laws. By setting

up Office 365, it’s the business, rather than the

non-expert employee, who chooses where file

storage and use happens.

In the same vein, sometimes even when a paid App is up to

scratch, the free version of an App will have no encryption

of information when stored or transmitted. Employees

obviously like free Apps, and in any case, we expect to use

free Apps to ‘try out the service’ anyway. Again, by giving

employees secure cloud tools of the company’s choosing,

the temptation and risk are very much reduced.

Employees (and managers!) are always going to make

mistakes. Wise Cloud decisions, however, can minimise

those mistakes by keeping a modicum of control within the

company’s four walls; all at manageable and predictable

cost and with plenty of productivity benefits, too.