Policy 1: Follow the Golden Rule
While it sounds a bit snarky and evokes Google’s oft-ridiculed “do no evil” mantra, too many companies fail to follow the Golden Rule-to treat others as they’d like to be treated in return-when it comes to BYOD. These are generally the companies with policy declarations that rival the government tax code and contain more “Thou shalt nots” than even the most repressive religionists or moral tomes. IT treats employees as children, and more often than not those employees do childish things to skirt policy, or willfully ignore policies out of sheer disgust.
At even the largest corporations, where confidential customer data are routinely handled on mobile devices, I’ve seen highly successful BYOD programs that treat users as adults. Most are fairly liberal with which devices can connect to a limited number of services on their network, in return for following some basic security-related policies. There are certainly environments in which controls must be stringent, but with widely available encryption and remote wipe capabilities, worries around data loss can largely be mitigated with some off-the-shelf software. Policies that assume users are adults, explaining the necessary “tickets to ride” and providing the appropriate software, are generally more successful than multi-layer approvals and draconian prohibitions.
Policy 2: Start small, and open email
Perhaps the most requested corporate service for BYOD access is email, and it’s luckily one of the most readily security and cross-platform capable services. Everything from traditional in-house mail servers to cloud-based email providers likely provide mobile functionality, and in many cases it’s paired with basic device management like remote wipe and password policy enforcement. If you’re struggling for a service to trial in a BYOD environment, few are better candidates than old-fashioned email, and present all the major challenges (security, provisioning, management, etc.) of BYOD, along with the major benefits (reducing costs of device procurement and provisioning, employee satisfaction, etc.).
Policy 3: Guide and correct, rather than preemptively punish
BYOD requires a mental shift for most IT organizations accustomed to having the most intimate access to the devices they were tasked with managing. For both better and worse, BYOD shifts IT’s focus away from managing devices toward managing the data on those devices. Most users intuitively understand the need to protect proprietary data, and will comply with directives that protect those data. Make the underlying assumption of your BYOD policies that an employee’s contract with IT is shifting from complete management of that employee’s device to management and protection of the data on that device. Guide users through protecting those data via software and configuration checklists, as well as IT tools that identify missed settings or installations related to protecting data.
If your standard assumption is that users will protect corporate data if given the proper tools and job aids, you’ll likely design a program that’s easy to comply with. Conversely, if your assumption is that you must apply the old managed device paradigm to BYOD, you’ll end up treating users as risks rather than partners in protecting data. This is not to say that your BYOD program should be a free-for-all, but rather that policy violations should be identified to the user and punitive action taken when he or she fails to correct the violation, rather than attempting to preempt disaster through reams of policy documents and piles of corporate “managementware” users are forced to install on their personal devices. There’s a balance for different organizations, but too many IT shops initially err well on the side of “preemptive punishment.”
Powered by Facebook Comments