Why Strong Policies Are Potent BYOD Painkillers

Debdas Sen, Executive Director, PwC rightly encapsulates the tizzy that the ‘Bring Your Own Device’ (BYOD) phenomenon has thrown CIOs into when he says, “BYOD is a revolution happening at the user end and has taken the infrastructure out of the so-called ‘control’ of the CIO. BYOD has thrown CIOs out of their comfort zone.” But, a robust BYOD policy built on an effective strategy can help restore back the control to a great extent, and ensure a successful transition to BYOD.

Policy Maketh The BYOD Program

According to Brandon Hampton, Director at MOBI Wireless Management clear communication and a strong policy are absolutely critical to ensure as smooth a transition as can be expected.
To say that a BYOD initiative is doomed to fail if the right policy is not in place, is euphemistic. “The legal landscape is extremely nebulous to say the least. The key weapon an organisation has to combat the scary situation of having corporate data residing on a device that they do not own and have limited control over is an ironclad policy that is enforced rigorously,” believes Hampton.

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

BYOD Policy Checklist

Decisions need to be taken on how far to go with the guidelines and the policy has to be looked at from various angles. Vishal Tripathi, Principal Analyst at Gartner research, shares the key areas that the policy should cover and define:

• User profiling: BYOD does not need to be a blanket implementation. Identify who really requires it.

• Locking on the device and OS: Looking at the plethora of options in the market today, CIOs have to have clarity on what devices and version of OS will be allowed.

• Security: One of the most important aspects, the security clauses in the policy need to answer questions such as heavy weight or light security; security at server level or client level; security at device level, application level or information level, and so on.

Tripathi also suggests that issues like the available bandwidth, software licensing, data plans, etc should not be overlooked.

Covering The Legal Angle

Hampton opines that the legal aspect is a greater area of risk today for organisations than the risk associated with data loss due to security breaches; however, the security aspect is often given much more attention.

Legal counsels advise organisations to have a consistent policy that is enforced rigorously and doesn’t allow for exceptions. Given the vagueness that exists in today’s legal landscape, this practice will ensure that the organisation is protected from punitive damages, advises Hampton.

The language also needs to be carefully worded to adequately protect the organisation. Further, the policy should have clear directives regarding data on the device and the possibility of personal data being wiped or becoming part of e-discovery in case of a lawsuit, adds Hampton.

There also needs to be clear language regarding the data on the device and that there is the potential for personal data to be wiped or become part of ediscovery in a lawsuit.

Even though the legal system has not provided clear guidance regarding the question of ownership in a BYOD environment, it is very important to establish clarity around that. Loopholes and exceptions can result in a large legal exposure for the organisation.

Though not as much from the legality perspective as from the perspective of preventing internal discord, it will do well to have the policy clearly spell out and set clear expectations with end users regarding what the organisation will pay for and what it won’t pay for the wireless usage.

Policy-Making In Progress: Roadblocks Ahead

While analysts and industry veterans cannot seem to stress enough on the importance of having a strong BYOD policy in place, the fact is that many organisations do not pay nearly enough attention to this key component and simply add a few lines to their existing wireless policy in an attempt to cover their bases. While it’s highly recommended that the BYOD strategy be in line with the corporate mobility strategy, just tweaking the mobility policy to accommodate BYOD is not enough. A separate policy that covers all possible aspects of BYOD is a must.

CIOs couldn’t have been more wrong in treating BYOD policy-making as a one-time exercise. Policy-making needs to be treated as an evolving process. “CIOs should build and improve on the policy as they go along,” Tripathi advises. “They should test with people from different user groups and get them to do real-time applications. CIOs need to be very diligent with the pilots.”

Having said that, a policy is only as good as the people who follow it. Hence, overall, a system must be in place to ensure that all users sign off on the policy. There are many Mobile Device Management (MDM) and Mobile Access Management (MAM) options in the marketplace today designed to protect an entire device down to software or designed to secure only specific corporate applications. There are applications to allow for organisations to manage policies and ensure employee-owned devices are compliant before they are granted access to corporate networks and systems. These services can be costly and might require resources to support, but it can ensure fewer sleepless nights for the CIO.

Watch this space for more insights on another pain that BYOD brings in – the cost.