BYOD is no fun for SysAdmins

In the old days it was relatively easy to determine what devices were connected to the corporate network; they were large and cumbersome. Indeed, it was difficult for new devices to be connected to the network without the assistance of the corporate IT department; the confusing array of IP addresses and ports and the obscure art of modem configuration meant that it was well beyond most of us to do this.

For those who did require remote access, a pair of dedicated modems was needed and a telephone line which would remain stable and undropped for hours. I remember needing a line to remain connected for 7 hours, knowing that a click on the line meant that we would have to start again. Access to the network from outside could only be achieved through modems so, to ensure the integrity of the network, all that needed to be done was to check that there were no unexpected modems connected to phone sockets in the building.

If users were to be allowed mobile devices, these were in general confined to senior staff – none of whom could ever work out how to circumvent the controls. Mobile phones were just phones which were cordless. The IT department had total control over the devices used, what software was on them (if any) and nothing which was not IT controlled was allowed to access the network. Few users worked, or were expected to work, remotely.

Oh, how it has all changed!

As connectivity has improved and there has been more focus on work–life balance it has become more common for users to work remotely, whether from home or elsewhere. Users, particularly in the professional services market, are expected to be on call, or at least reading email, on an almost 24/7 basis.

As this explosion in connectivity has occurred, devices with the capability of being useful in a work context are no longer the preserve of a dedicated IT function. Most of us now have (several) computers at home, whether laptop or desktop, and it has become almost impossible to function in the 21st Century without access to the internet.

The IT department (or IT person) is faced with the challenge of users who need (or want) to access their corporate data remotely; the enterprise is unwilling, or unable, to provide every employee with a dedicated second computer for remote use and users in any case do not want to have a second machine lying unused for much of the time.

Add to that the fact that enterprises are generally slow to adopt the latest gadgets (recent statistics suggest that a significant number of enterprises are still using Windows XP, now 13 years old) and it is not difficult to see from whence pressures are coming.

In the mobile device space, the pressure is even greater; hardly a month passes without a super shiny new mobile phone (or “device”) being announced; we are all subjected to the conundrum of contracts with our mobile phone providers being lengthened – 2 years now appears to be the norm – whilst few hip users would want to be seen with a phone which was as old as 2 years. No stylish individual wants to be seen with an (old) blackberry, when their friends, who are not constrained by an IT department, have the latest shiny toy. The suggestion of two phones – work and personal – is for many not an attractive option as it means carrying 2 devices, 2 chargers, 2 cables.

A BYOD policy

So, how can the enterprise meet the apparently conflicting challenges of corporate security and individual resistance? The individual would like to have a single, hip device; the enterprise, mindful of its obligations under the Data Protection Act, needs to ensure data security.

For all these reasons, an enterprise needs to have a BYOD (bring your own device) policy alongside its existing IT and data protection policies. Here are some of the requirements of such a policy.

  • it needs to address issues such as ensuring that corporate secrets (whether personal data or not) are protected;
  • it needs to ensure that anything which the employee does in their own time (perhaps unprotected by the anti-virus activities of the corporate IT service) do not have the effect of introducing malware into the corporate network by the back door;
  • it needs to ensure that, if the employee’s personal device is lost or stolen (evidently 70 per cent of us will lose a mobile phone at some time), any personal or confidential data can be wiped remotely;
  • the enterprise needs to advise employees what information can (and cannot) be processed on their personal devices.

Other factors to protect the enterprise

In terms of the Data Protection Act, the enterprise will be responsible as data controller for all its data, whether held on the enterprise network or on an employee’s personal mobile phone. Best practice suggests that work data should be kept in a separate (password protected) folder and excluded from any cloud backup – easier to do on a laptop perhaps than on a mobile phone.

Remote access to enterprise resources should be through a secure channel (which almost certainly doesn’t include your local coffee shop or hotel); VPN (virtual private network) software is readily and inexpensively available (whether as part of the operating system or standalone). A robust password policy will assist but not eliminate this problem. Evidently popular passwords include “password”, “12345” and “monkey” – no I don’t understand the last one either. There are many systems available which allow single or two factor authentication which protects the enterprise data. The problem, however, is the user. Most users cannot come up with a password of more than 8 characters, let alone remember it. Expecting them to deal with multi-factor authentication may be a step too far. Programs such as BitLocker or PGP Whole Disk Encryption or the free TrueCrypt offer solutions which can provide almost total protection. However, it comes at a cost, eg when the employee cannot remember their password and then blames IT for the fact that the data cannot be recovered. The problem with a TNO (trust no-one) solution is that users cannot be protected from themselves.

Of course, things will go wrong and users will lose mobile devices and leave laptops on buses; where that happens the enterprise needs to be able to respond quickly through a remote wipe of the device (assuming it is not wholly encrypted in a secure fashion). This needs to be possible outside the core hours of 9 to 5, given that many of such losses will happen in the evening and at weekends.

Perhaps the enterprise should keep a record of all the NIC addresses of devices which are permitted to access the network so that these can be blocked remotely so as at least to contain any risk. In appropriate cases, it is possible to set filters so that access cannot be had at particular times; few UK based employees really need access to the network at 2 am on a Sunday, and if they do an exception can be created for them.

If your policy does allow remote wiping of lost or compromised devices, this raises another other issue: what happens when the IT department wipe a lost device which, it transpires wasn’t actually lost but just mislaid and which device contained the unbacked-up personal photos of some important event in the employee’s life? Employees need to know that that is a consequence of mixed use and ideally should give an express written acknowledgement of that possibility, to avoid future disputes.

Of course, none of this works if the employees are not trained and told what they can and cannot do; my perception is that employees in enterprises are given mobile devices, often with access to the corporate network, with little or no guidance and very little (if any) training. Should a breach of the BYOD guidelines be considered a disciplinary matter? If so, that needs to be spelled out clearly.

ICO guidance and other issues

In March 2013, the ICO issued guidance on compliant BYOD schemes, which discusses many of these issues from a data protection perspective. For the enterprise, the issues go far wider than data protection and for many, there may be no personal data involved; however, the same issues arise and the guidance is a good starting point.

BYOD is not a static process; the capabilities and price point of the latest consumer electronics – mobile phone or laptop – surpass anything which could have been considered even five years ago; employees are accessing the internet (and that means enterprise resources) from a myriad of unexpected places; our corporate website is, according to the analytics, even accessed by users using an xBox (which is inexplicable and a little sad.). That means that any BYOD policy needs to be fluid enough to allow its development over time to ensure that it remains relevant and fit for purpose.

Other matters you might like to consider include cost reimbursement. If the individual is using their own device for enterprise purposes, should the enterprise bear any part of that cost – or is that the cost that the employee has to bear personally for the luxury of having a single device? What about data and particularly roaming data costs? If the employee is surcharged for exceeding a data cap, should the enterprise reimburse that? How is the excess cost to be shared? Is the amount up to the cap the employee’s cost and the excess for the account of the enterprise? It’s probably worth setting out these rules in advance.

For the enterprise, it is perceived that having employees with 24/7 access to enterprise resources may increase responsiveness and client service. In some jurisdictions in Europe, employees are not expected to deal with email outside contracted hours; in the US and UK, the opposite may be true, but either way there are employment law issues which should not be overlooked. If an employee has an enterprise-provided smartphone but misses a deadline on some important matter because they turned it off at 5 pm on a Friday and didn’t re-engage before 9 am on the Monday, is that an issue?

Death and departure

Finally, some thought should be given to death and departure; not necessarily death of the employee, although the enterprise should also give some thought to that, but rather the death or replacement of the device. If one of the employee attractions in a BYOD situation is that they get to change the device for the latest model every 2 years (or whatever), the enterprise needs to give some thought to what is to happen to the old device. Does it get put in a drawer until it heads off to the local charity recycling service? If so, has all the data been wiped? It should have been, both for data protection and for confidential information reasons.

If the employee leaves, is anything done in relation to their devices? Hopefully network access will be revoked, but what of the terabytes of enterprise data held locally on the laptop or the information on the personal smartphone? Traditionally, the leaving meeting with HR involved the ceremonial handover of the access pass, keys and Blackberry. Perhaps in the 21st Century, more attention should be given to the information walking out of the door on the employees own smartphone.

Useful resources

Obviously the drafting of a BYOD policy is something that should be tailored to the needs of the business and relevant to the business, its employees and its devices. However, there is some useful guidance to be found from publicly available sources which at least point you in the right direction.

I like the tips from JD Supra and the (albeit US-centric) BYOD toolkit to be found on the White House website.

A quick Google search for “BYOD policy template“ does bring up a large number of examples, but some of these do appear to be more wishful thinking than the reality of what is likely to happen.

David Flint is Senior Partner of MacRoberts LLP, based in Glasgow, Edinburgh and Dundee.

Email Twitter @dfscot.