Although BYOD security gets the headlines, IT managers find issues like device management, scope management and support just as challenging.
At the recent CSO Australia Mobile Security roundtable, held at AusCERT, 21 guests thrashed out their experiences and concerns.
It's clear that there are few holdouts in the BYOD realm, and most of them are constrained as much by regulation, compliance and policy as by inclination. Of a diverse group of organisations, covering business, government, healthcare, education, law enforcement and aerospace, only one—Australian Aerospace—stated a clear no-BYOD policy.
Most of the rest said that they're still developing their BYOD policies.
What's driving adoption?
It's easier to tar managers with a generational brush—that they expect graduates entering the workforce to accept the same kind of workplace they had, 20 years ago, but that's not so. There's a strong consensus that the HR department has become an important driver of BYOD adoption. The reason? Partly to help attract talent.
As New Hope Group's MIS Manager Chris Evans put it: “The motivation comes from HR, because they want good candidates. They need to attract and retain the talent so there's a big push in that direction.”
Evans said that regardless of the original source of a BYOD policy, “it's become a company-level decision, a C-level decision. People want, at the very least, to get e-mails on their personal device, 24x7.”
Darren Moore of Tatts Group agreed, saying “HR is also our biggest customer. They are the ones that want it first—them and the C-level executives.”
The arrival of new CEO Robbie Cooke last year has greatly accelerated BYOD, he noted: Cooke is former CEO of the Wotif group, and has brought a new culture to Tatts.
“The CEO wants travelling access—we have had to change and turn around very quickly,” Moore said.
Kim Johr, ICT Infrastructure Manager at the Moreton Bay Regional Council, said staff satisfaction has driven the council's decision to trial BYOD. “The staff are doing more anyway, and they feel more satisfied. So there's value in that respect.”
“Staff need to be enabled to move around, to do their job in more than one location,” he said. And with that support, staff are happier.
What's in your strategy?
For nearly everyone at the round table, BYOD is a still-nascent part of their total IT strategy. E-mail access is overwhelmingly the dominant application and there is some caution about extending the application footprint of BYOD.
“Organisations often miss the fact that it is about managing mobile employees, not mobile devices,” said Ian Yip, Identity, Security & Governance Business Manager, for table sponsors NetIQ. “Organisations often start by focusing on securing devices and realise at a later stage they need to look for a solution that is focused on identity.”
“We have limited the scope of the implementation by design,” said New Hope's Chris Evans. His concern is regulatory: with every action of grant-supported companies scrutinised, the risk that a careless BYOD strategy could undermine the organisation's audit position is significant.
“If someone wants e-mail our answer is yes. We are trying to encourage the workforce to be more tech-savvy,” Evans said, but expanding simple access into broader application access is a more vexed question.
Stephen McCarthy agrees: “As soon as you get past e-mail, if the BYOD doesn't work, people will demand support from IT,” he said.
There's no consensus on the best way to approach mobile device management, but great dissatisfaction in what's currently on offer from vendors.
At one extreme, there's no support at all. Kathryn Priol, director of ICT at John Paul College in southern Brisbane, said students are free to bring their own machines, but the college only provides support for its own devices.
However, Max Network's Stephen McCarthy said in a business context, support is critical.
“Not supporting something is not tenable, because if someone can't do their work, it starts to escalate all through the company anyway. Someone who can't do their work quickly becomes a business problem. And IT ends up in the firing line anyway,” he said.
“There is no mobile device management solution that lets you say 'here is an app, now you can forget it',” New Hope Group's Chris Evans said, and the result is that device management falls back to the IT department, with little support from the outside.
At the other end, Moreton Bay Regional Council's Kim Johr said “Regarding mobile device management – we're happy to take care of that ourselves. We can do it better and with more granularity.”
Colin James, CTSO at Vodafone New Zealand, noted however that MDM “is only one part of the story. Securing the information is important—to have security controls on a document at the time of creation is important.”
While cloud services like Dropbox are offered up as solutions, James described it as a “nightmare”.
Is it secure?
Which naturally raises the question of security: can it be secure? It's a vexed issue, because so many vulnerabilities exist.
Yip suggests focusing on identifying and concentrating on understanding the flows of critical information. “Access to information should be controlled and be able to be tied back to individuals—and monitored at all times,” he says.
New Hope has a simple, if strict, approach for devices: if someone wants their own device to have access to the business, it comes with strings. When the employee leaves, the device is wiped.
“We wipe the whole device if the person resigns,” Evans said.
“We allow it, and we have set it up so that we can remotely blow the device away when a staff member leaves,” Evans added.
As a regulated entity—gaming being more regulated than practically anything except for healthcare and telecommunications—Tatts Group's Paul Bilic noted that “pushing board papers out to the executives is a security challenge.
“Policy and governance are playing catch-up,” he concluded.
Location, location, location
McCarthy also noted that for Max Network, BYOD brings challenges simply in maintaining access to networks. The BYOD debate has become generalised on the assumption that everybody lives and works in cities.
“Most of our people are in the regions, and communications either die or costs so much you can't use it,” he said. “In non-metro locations, latency, cost and performance can make mobility far less usable.”
“It's never the user's problem, it's a problem that costs the business,” he added.